![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / www / py-django3
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
py-django3: removed; end of life
py-django3: fix wheel name for latest setuptools and depend on it Bump PKGREVISION.
py-*: remove unused tool dependency py-setuptools includes the py-wheel functionality nowadays
py-django3: updated to 3.2.25 Django 3.2.25 fixes a security issue with severity “moderate” and a regression in 3.2.24. CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words() django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). Bugfixes Fixed a regression in Django 3.2.24 where intcomma template filter could return a leading comma for string representation of floats.
py-django3: updated to 3.2.24 Django 3.2.24 fixes a security issue with severity “moderate” in 3.2.23. CVE-2024-24680: Potential denial-of-service in intcomma template filter The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
py-django3: updated to 3.2.23 Django 3.2.23 CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows
py-django3: updated to 3.2.22 Django 3.2.22 fixes a security issue with severity “moderate” in 3.2.21. CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator’s chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable. The input processed by Truncator, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues.
py-django3: updated to 3.2.21 Django 3.2.21 fixes a security issue with severity “moderate” in 3.2.20. CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri()
py-django3: updated to 3.2.20 Django 3.2.20 fixes a security issue with severity “moderate” in 3.2.19. CVE-2023-36053: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator¶ EmailValidator and URLValidator were subject to potential regular expression denial of service attack via a very large number of domain name labels of emails and URLs.
py-django3: updated to 3.2.19 Django 3.2.19 CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field
py-django: update to 3.2.18. =========================== Django 3.2.18 release notes =========================== *February 14, 2023* Django 3.2.18 fixes a security issue with severity "moderate" in 3.2.17. CVE-2023-24580: Potential denial-of-service vulnerability in file uploads ========================================================================= Passing certain inputs to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack. The number of files parts parsed is now limited via the new :setting:`DATA_UPLOAD_MAX_NUMBER_FILES` setting. =========================== Django 3.2.17 release notes =========================== *February 1, 2023* Django 3.2.17 fixes a security issue with severity "moderate" in 3.2.16. CVE-2023-23969: Potential denial-of-service via ``Accept-Language`` headers =========================================================================== The parsed values of ``Accept-Language`` headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if large header values are sent. In order to avoid this vulnerability, the ``Accept-Language`` header is now parsed up to a maximum length.
py-django3: updated to 3.2.16 Django 3.2.16 fixes a security issue with severity “medium” in 3.2.15. CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs Internationalized URLs were subject to potential denial of service attack via the locale parameter.
py-django3: updated to 3.2.15 Django 3.2.15 fixes a security issue with severity “high” CVE-2022-36359: Potential reflected file download vulnerability in FileResponse¶ An application may have been vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename was derived from user-supplied input. The filename is now escaped to avoid this possibility.
py-django3: updated to 3.2.13 Django 3.2.13 fixes two security issues with severity “high” in 3.2.12 and a regression in 3.2.4. CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra() QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods. CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL QuerySet.explain() method was subject to SQL injection in option names, using a suitably crafted dictionary, with dictionary expansion, as the **options argument. Bugfixes Fixed a regression in Django 3.2.4 that caused the auto-reloader to no longer detect changes when the DIRS option of the TEMPLATES setting contained an empty string
py-django3: updated to 3.2.12
Django 3.2.12 fixes two security issues with severity “medium” in 3.2.11.
CVE-2022-22818: Possible XSS via {% debug %} template tag
CVE-2022-23833: Denial-of-service possibility in file uploads
py-django3: updated to 3.2.11 Django 3.2.11 fixes one security issue with severity “medium” and two security issues with severity “low” in 3.2.10. - CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator - CVE-2021-45116: Potential information disclosure in dictsort template filter - CVE-2021-45452: Potential directory-traversal via Storage.save()
py-django*: switch to USE_PKG_RESOURCES
py-django*: add dependency on py-setuptools These use pkg_resources. Noted by joerg. Bump PKGREVISION.
*: bump PKGREVISION for egg.mk users They now have a tool dependency on py-setuptools instead of a DEPENDS
py-django3: updated to 3.2.10 3.2.10: CVE-2021-44420: Potential bypass of an upstream access control based on URL paths¶ HTTP requests for URLs with trailing newlines could bypass an upstream access control based on URL paths. Bugfixes Fixed a regression in Django 3.2 that caused a crash of setUpTestData() with BinaryField on PostgreSQL, which is memoryview-backed
py-django3: updated to 3.2.9 Django 3.2.9 fixes a bug in 3.2.8 and adds compatibility with Python 3.10. Bugfixes Fixed a bug in Django 3.2 that caused a migration crash on SQLite when altering a field with a functional index
py-django3: updated to 3.2.8 Django 3.2.8 fixes two bugs in 3.2.7. Bugfixes Fixed a bug in Django 3.2 that caused incorrect links on read-only fields in the admin. Fixed a regression in Django 3.2 that caused incorrect selection of items across all pages when actions were placed both on the top and bottom of the admin change-list view.
Update to 3.2.7 Upstream changes: Django 3.2.7 fixes a bug in 3.2.6. Bugfixes Fixed a regression in Django 3.2 that caused the incorrect offset extraction from fixed offset timezones (#32992).
py-django3: updated to 3.2.6 Django 3.2.6 Bugfixes Fixed a regression in Django 3.2 that caused a crash validating "NaN" input with a forms.DecimalField when additional constraints, e.g. max_value, were specified. Fixed a bug in Django 3.2 where a system check would crash on a model with a reverse many-to-many relation inherited from a parent class.
py-django3: updated to 3.2.5 Django 3.2.5 fixes a security issue with severity “high” and several bugs in 3.2.4. Also, the latest string translations from Transifex are incorporated. CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input Unsanitized user input passed to QuerySet.order_by() could bypass intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted. As a mitigation the strict column reference validation was restored for the duration of the deprecation period. This regression appeared in 3.1. The issue is not present in the main branch as the deprecated path has been removed. Bugfixes Fixed a regression in Django 3.2 that caused a crash of QuerySet.values_list(…, named=True) after prefetch_related(). Fixed a bug in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when altering BinaryField, JSONField, or TextField to non-nullable. Fixed a regression in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when adding nullable BinaryField, JSONField, or TextField with a default value. Fixed a bug in Django 3.2 where a system check would crash on a model with an invalid app_label
py-django3: updated to 3.2.4 Django 3.2.4 fixes two security issues and several bugs in 3.2.3. CVE-2021-33203: Potential directory traversal via admindocs Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses¶ URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn’t prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+. Bugfixes Fixed a bug in Django 3.2 where a final catch-all view in the admin didn’t respect the server-provided value of SCRIPT_NAME when redirecting unauthenticated users to the login page Fixed a bug in Django 3.2 where a system check would crash on an abstract model Prevented unnecessary initialization of unused caches following a regression in Django 3.2 Fixed a crash in Django 3.2 that could occur when running mod_wsgi with the recommended settings while the Windows colorama library was installed Fixed a bug in Django 3.2 that would trigger the auto-reloader for template changes when directory paths were specified with strings Fixed a regression in Django 3.2 that caused a crash of auto-reloader with AttributeError, e.g. inside a Conda environment Fixed a regression in Django 3.2 that caused a loss of precision for operations with DecimalField on MySQL
py-django3: updated to 3.2.3 Django 3.2.3 fixes several bugs in 3.2.2. Bugfixes Prepared for mysqlclient > 2.0.3 support. Fixed a regression in Django 3.2 that caused the incorrect filtering of querysets combined with the | operator. Fixed a regression in Django 3.2.1 where saving FileField would raise a SuspiciousFileOperation even when a custom upload_to returns a valid file path. Django 3.2.2 fixes a security issue and a bug in 3.2.1. CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+ On Python 3.9.5+, URLValidator didn’t prohibit newlines and tabs. If you used values with newlines in HTTP response, you could suffer from header injection attacks. Django itself wasn’t vulnerable because HttpResponse prohibits newlines in HTTP headers. Moreover, the URLField form field which uses URLValidator silently removes newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your data only existed if you are using this validator outside of the form fields. This issue was introduced by the bpo-43882 fix.
py-django3: updated to 3.2.1 Django 3.2.1 CVE-2021-31542: Potential directory-traversal via uploaded files MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via uploaded files with suitably crafted file names. In order to mitigate this risk, stricter basename and path sanitation is now applied. Specifically, empty file names and paths with dot segments will be rejected. Bugfixes Corrected detection of GDAL 3.2 on Windows. Fixed a bug in Django 3.2 where subclasses of BigAutoField and SmallAutoField were not allowed for the DEFAULT_AUTO_FIELD setting. Fixed a regression in Django 3.2 that caused a crash of QuerySet.values()/values_list() after QuerySet.union(), intersection(), and difference() when it was ordered by an unannotated field. Restored, following a regression in Django 3.2, displaying an exception message on the technical 404 debug page. Fixed a bug in Django 3.2 where a system check would crash on a reverse one-to-one relationships in CheckConstraint.check or UniqueConstraint.condition. Fixed a regression in Django 3.2 that caused a crash of ModelAdmin.search_fields when searching against phrases with unbalanced quotes. Fixed a bug in Django 3.2 where variable lookup errors were logged rendering the sitemap template if alternates were not defined. Fixed a regression in Django 3.2 that caused a crash when combining Q() objects which contains boolean expressions. Fixed a regression in Django 3.2 that caused a crash of QuerySet.update() on a queryset ordered by inherited or joined fields on MySQL and MariaDB. Fixed a regression in Django 3.2 that caused a crash when decoding a cookie value, used by django.contrib.messages.storage.cookie.CookieStorage, in the pre-Django 3.2 format. Fixed a regression in Django 3.2 that stopped the shift-key modifier selecting multiple rows in the admin changelist. Fixed a bug in Django 3.2 where a system check would crash on the STATICFILES_DIRS setting with a list of 2-tuples of (prefix, path). Fixed a long standing bug involving queryset bitwise combination when used with subqueries that began manifesting in Django 3.2, due to a separate fix using Exists to exclude() multi-valued relationships. Fixed a bug in Django 3.2 where variable lookup errors were logged when rendering some admin templates. Fixed a bug in Django 3.2 where an admin changelist would crash when deleting objects filtered against multi-valued relationships. The admin changelist now uses Exists() instead QuerySet.distinct() because calling delete() after distinct() is not allowed in Django 3.2 to address a data loss possibility. Fixed a regression in Django 3.2 where the calling process environment would not be passed to the dbshell command on PostgreSQL. Fixed a performance regression in Django 3.2 when building complex filters with subqueries. As a side-effect the private API to check django.db.sql.query.Query equality is removed. Django 3.2.0: Automatic AppConfig discovery simplifies configuration of pluggable applications. Customizing the type of auto-created primary keys begins a process of migrating to BigAutoField primary key fields by default. Functional indexes can now be created on expressions and database functions.
py-django3: updated to 3.1.7 Django 3.1.7 fixes a security issue and a bug in 3.1.6. CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl() Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default. Django now includes this fix. See bpo-42967 for further details. Bugfixes Fixed a regression in Django 3.1 that caused RuntimeError instead of connection errors when using only the 'postgres' database
py-django3: updated to 3.1.6 Django 3.1.6 fixes a security issue with severity “low” and a bug in 3.1.5. CVE-2021-3281: Potential directory-traversal via archive.extract() The django.utils.archive.extract() function, used by startapp --template and startproject --template, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments. Bugfixes Fixed an admin layout issue in Django 3.1 where changelist filter controls would become squashed
py-django3: updated to 3.1.5 Django 3.1.5 fixes several bugs in 3.1.4. Fixed __isnull=True lookup on key transforms for JSONField with Oracle and SQLite. Fixed a bug in Django 3.1 that caused a crash when processing middlewares in an async context with a middleware that raises a MiddlewareNotUsed exception. Fixed a regression in Django 3.1 that caused the incorrect prefixing of STATIC_URL and MEDIA_URL settings, by the server-provided value of SCRIPT_NAME (or / if not set), when set to a URL specifying the protocol but without a top-level domain, e.g. http://myhost/
py-django: updated to 3.1.4 Django 3.1.4 fixes several bugs in 3.1.3. Bugfixes Fixed setting the Content-Length HTTP header in AsyncRequestFactory. Fixed passing extra HTTP headers to AsyncRequestFactory request methods. Fixed crash of key transforms for JSONField on PostgreSQL when using on a Subquery() annotation. Fixed a regression in Django 3.1 that caused a crash of auto-reloader for certain invocations of runserver on Windows with Python 3.7 and below. Fixed a regression in Django 3.1 that caused the incorrect grouping by a Q object annotation. Fixed a regression in Django 3.1 that caused suppressing connection errors when JSONField is used on SQLite. Fixed a crash on SQLite, when QuerySet.values()/values_list() contained key transforms for JSONField returning non-string primitive values
py-django3: updated to 3.1.3 Django 3.1.3 fixes several bugs in 3.1.2 and adds compatibility with Python 3.9. Bugfixes Fixed a regression in Django 3.1.2 that caused the incorrect height of the admin changelist search bar Fixed a regression in Django 3.1.2 that caused the incorrect width of the admin changelist search bar on a filtered page Fixed displaying Unicode characters in forms.JSONField and read-only models.JSONField values in the admin Fixed a regression in Django 3.1 that caused a crash of ArrayAgg and StringAgg with ordering on key transforms for JSONField Fixed a regression in Django 3.1 that caused a crash of __in lookup when using key transforms for JSONField in the lookup value Fixed a regression in Django 3.1 that caused a crash of ExpressionWrapper with key transforms for JSONField Fixed a regression in Django 3.1 that caused a migrations crash on PostgreSQL when adding an ExclusionConstraint with key transforms for JSONField in expressions Fixed a regression in Django 3.1 where ProtectedError.protected_objects and RestrictedError.restricted_objects attributes returned iterators instead of set of objects Fixed a regression in Django 3.1.2 that caused incorrect form input layout on small screens in the admin change form view Fixed a regression in Django 3.1 that invalidated pre-Django 3.1 password reset tokens Added support for asgiref 3.3 Fixed a regression in Django 3.1 that caused incorrect textarea layout on medium-sized screens in the admin change form view with the sidebar open Fixed a regression in Django 3.0.7 that didn’t use Subquery() aliases in the GROUP BY clause
Update to 3.1.2
Upstream changes:
Django 3.1.2 release notes¶
October 1, 2020
Django 3.1.2 fixes several bugs in 3.1.1.
Bugfixes¶
Fixed a bug in Django 3.1 where FileField instances with a callable storage were not correctly deconstructed (#31941).
Fixed a regression in Django 3.1 where the QuerySet.ordered attribute returned incorrectly True for GROUP BY queries (e.g. .annotate().values()) on models with Meta.ordering. A model’s Meta.ordering doesn’t affect such queries (#31990).
Fixed a regression in Django 3.1 where a queryset would crash if it contained an aggregation and a Q object annotation (#32007).
Fixed a bug in Django 3.1 where a test database was not synced during creation when using the MIGRATE test database setting (#32012).
Fixed a django.contrib.admin.EmptyFieldListFilter crash when using on a GenericRelation (#32038).
Fixed a regression in Django 3.1.1 where the admin changelist filter sidebar would not scroll for a long list of available filters (#31986).
py-django3: updated to 3.1.1 Django 3.1.1 fixes two security issues and several bugs in 3.1. CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+ On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the collectstatic management command. You should review and manually fix permissions on existing intermediate-level directories. CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+ On Python 3.7+, the intermediate-level directories of the file system cache had the system’s standard umask rather than 0o077 (no group or others permissions). Bugfixes Fixed wrapping of translated action labels in the admin’s navigation sidebar for East Asian languages. Fixed wrapping of long model names in the admin’s navigation sidebar. Fixed encoding session data while upgrading multiple instances of the same project to Django 3.1. Adjusted admin’s navigation sidebar template to reduce debug logging when rendering. Fixed a data loss possibility in the select_for_update(). When using related fields pointing to a proxy model in the of argument, the corresponding model was not locked. Fixed a data loss possibility, following a regression in Django 2.0, when copying model instances with a cached fields value. Fixed a regression in Django 3.1 that caused a crash when decoding an invalid session data. Reverted a deprecation in Django 3.1 that caused a crash when passing deprecated keyword arguments to a queryset in TemplateView.get_context_data(). Enforced thread sensitivity of the MiddlewareMixin.process_request() and process_response() hooks when in an async context. Fixed __in lookup on key transforms for JSONField with MariaDB, MySQL, Oracle, and SQLite. Fixed a regression in Django 3.1 that caused permission errors in CommonPasswordValidator and settings.py generated by the startproject command, when user didn’t have permissions to all intermediate directories in a Django installation path. Fixed detecting an async get_response callable in various builtin middlewares. Fixed a QuerySet.order_by() crash on PostgreSQL when ordering and grouping by JSONField with a custom decoder. Fixed a QuerySet.delete() crash on MySQL, following a performance regression in Django 3.1 on MariaDB 10.3.2+, when filtering against an aggregate function. Fixed a django.contrib.admin.EmptyFieldListFilter crash when using on reverse relations. Prevented content overflowing in the admin changelist view when the navigation sidebar is enabled What’s new in Django 3.1 Asynchronous views and middleware support JSONField for all supported database backends DEFAULT_HASHING_ALGORITHM settings
py-django3: updated to 3.0.8 Django 3.0.8 fixes several bugs in 3.0.7. Bugfixes Fixed messages of InvalidCacheKey exceptions and CacheKeyWarning warnings raised by cache key validation. Fixed a regression in Django 3.0.7 that caused a queryset crash when grouping by a many-to-one relationship. Reallowed, following a regression in Django 3.0, non-expressions having a filterable attribute to be used as the right-hand side in queryset filters. Fixed a regression in Django 3.0.2 that caused a migration crash on PostgreSQL when adding a foreign key to a model with a namespaced db_table. Added compatibility for cx_Oracle 8
py-django3: updated to 3.0.7 Django 3.0.7 fixes two security issues and several bugs in 3.0.6. CVE-2020-13254: Potential data leakage via malformed memcached keys In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends. CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded. Bugfixes Fixed a regression in Django 3.0 by restoring the ability to use field lookups in Meta.ordering. Fixed a regression in Django 3.0 where QuerySet.values() and values_list() crashed if a queryset contained an aggregation and a subquery annotation. Fixed a regression in Django 3.0 where aggregates used wrong annotations when a queryset has multiple subqueries annotations. Fixed a regression in Django 3.0 where QuerySet.values() and values_list() crashed if a queryset contained an aggregation and an Exists() annotation on Oracle. Fixed a regression in Django 3.0 where all resolved Subquery() expressions were considered equal. Fixed a regression in Django 3.0.5 that affected translation loading for apps providing translations for territorial language variants as well as a generic language, where the project has different plural equations for the language. Tracking a jQuery security release, upgraded the version of jQuery used by the admin from 3.4.1 to 3.5.1.
py-django3: updated to 3.0.6 3.0.6: Fixed a regression in Django 3.0 that caused a crash when filtering a Subquery() annotation of a queryset containing a single related field against a SimpleLazyObject.
py-django3: updated to 3.0.5 Django 3.0.5: Added the ability to handle .po files containing different plural equations for the same language. Fixed a regression in Django 3.0 where QuerySet.values() and values_list() crashed if a queryset contained an aggregation and Subquery() annotation that collides with a field name.
py-django3: updated to 3.0.4 Django 3.0.4 fixes a security issue and several bugs in 3.0.3. CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle GIS functions and aggregates on Oracle were subject to SQL injection, using a suitably crafted tolerance. Bugfixes Fixed a data loss possibility when using caching from async code. Fixed a regression in Django 3.0 that caused a file response using a temporary file to be closed incorrectly. Fixed a data loss possibility in the select_for_update(). When using related fields or parent link fields with Multi-table inheritance in the of argument, the corresponding models were not locked. Fixed a regression in Django 3.0 that caused misplacing parameters in logged SQL queries on Oracle. Fixed a regression in Django 3.0.3 that caused misplacing parameters of SQL queries when subtracting DateField or DateTimeField expressions on MySQL. Fixed a regression in Django 3.0 that didn’t include subqueries spanning multivalued relations in the GROUP BY clause
py-django3: added version 3.0.3 What’s new in Django 3.0 MariaDB support ASGI support Exclusion constraints on PostgreSQL Filter expressions Enumerations for model field choices