summaryrefslogtreecommitdiff
path: root/docs/releases/5.2.9.txt
blob: ba235d05c69b192e983ba38ebcef4ec6de023318 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

==========================
Django 5.2.9 release notes
==========================

*December 2, 2025*

Django 5.2.9 fixes one security issue with severity "high", one security issue
with severity "moderate", and several bugs in 5.2.8.

CVE-2025-13372: Potential SQL injection in ``FilteredRelation`` column aliases on PostgreSQL
============================================================================================

:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias` on
PostgreSQL.

CVE-2025-64460: Potential denial-of-service vulnerability in XML ``Deserializer``
=================================================================================

:ref:`XML Serialization <serialization-formats-xml>` was subject to a potential
denial-of-service attack due to quadratic time complexity when deserializing
crafted documents containing many nested invalid elements. The internal helper
``django.core.serializers.xml_serializer.getInnerText()`` previously
accumulated inner text inefficiently during recursion. It now collects text per
element, avoiding excessive resource usage.

Bugfixes
========

* Fixed a bug in Django 5.2 where
  ``django.utils.feedgenerator.Stylesheet.__str__()`` did not escape
  the ``url``, ``mimetype``, and ``media`` attributes, potentially leading
  to invalid XML markup (:ticket:`36733`).

* Fixed a bug in Django 5.2 on PostgreSQL where ``bulk_create()`` did not apply
  a field's custom query placeholders (:ticket:`36748`).

* Fixed a regression in Django 5.2.2 that caused a crash when using aggregate
  functions with an empty ``Q`` filter over a queryset with annotations
  (:ticket:`36751`).

* Fixed a regression in Django 5.2.8 where ``DisallowedRedirect`` was raised by
  :class:`~django.http.HttpResponseRedirect` and
  :class:`~django.http.HttpResponsePermanentRedirect` for URLs longer than 2048
  characters. The limit is now 16384 characters (:ticket:`36743`).

* Fixed a crash on Python 3.14+ that prevented template tag functions from
  being registered when their type annotations required deferred evaluation
  (:ticket:`36712`).
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 21:34:44 +0000