-
-
Save suligap/480e7531a215491b33a0d3e73f93d1c6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
============================ | |
Django 1.11.10 release notes | |
============================ | |
*February 1, 2018* | |
Django 1.11.10 fixes a security issue and several bugs in 1.11.9. | |
CVE-2018-6188: Information leakage in ``AuthenticationForm`` | |
============================================================ | |
A regression in Django 1.11.8 made | |
:class:`~django.contrib.auth.forms.AuthenticationForm` run its | |
``confirm_login_allowed()`` method even if an incorrect password is entered. | |
This can leak information about a user, depending on what messages | |
``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't | |
overridden, an attacker enter an arbitrary username and see if that user has | |
been set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden, | |
more sensitive details could be leaked. | |
This issue is fixed with the caveat that ``AuthenticationForm`` can no longer | |
raise the "This account is inactive." error if the authentication backend | |
rejects inactive users (the default authentication backend, ``ModelBackend``, | |
has done that since Django 1.10). This issue will be revisited for Django 2.1 | |
as a fix to address the caveat will likely be too invasive for inclusion in | |
older versions. | |
Bugfixes | |
======== | |
* Fixed incorrect foreign key nullification if a model has two foreign keys to | |
the same model and a target model is deleted (:ticket:`29016`). | |
* Fixed a regression where ``contrib.auth.authenticate()`` crashes if an | |
authentication backend doesn't accept ``request`` and a later one does | |
(:ticket:`29071`). | |
* Fixed crash when entering an invalid uuid in ``ModelAdmin.raw_id_fields`` | |
(:ticket:`29094`). | |
============================ | |
Django 1.11.11 release notes | |
============================ | |
*March 6, 2018* | |
Django 1.11.11 fixes two security issues in 1.11.10. | |
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters | |
=============================================================================================== | |
The ``django.utils.html.urlize()`` function was extremely slow to evaluate | |
certain inputs due to catastrophic backtracking vulnerabilities in two regular | |
expressions. The ``urlize()`` function is used to implement the ``urlize`` and | |
``urlizetrunc`` template filters, which were thus vulnerable. | |
The problematic regular expressions are replaced with parsing logic that | |
behaves similarly. | |
CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters | |
================================================================================================================== | |
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were | |
passed the ``html=True`` argument, they were extremely slow to evaluate certain | |
inputs due to a catastrophic backtracking vulnerability in a regular | |
expression. The ``chars()`` and ``words()`` methods are used to implement the | |
``truncatechars_html`` and ``truncatewords_html`` template filters, which were | |
thus vulnerable. | |
The backtracking problem in the regular expression is fixed. | |
============================ | |
Django 1.11.12 release notes | |
============================ | |
*April 2, 2018* | |
Django 1.11.12 fixes two bugs in 1.11.11. | |
Bugfixes | |
======== | |
* Fixed a regression in Django 1.11.8 where combining two annotated | |
``values_list()`` querysets with ``union()``, ``difference()``, or | |
``intersection()`` crashed due to mismatching columns (:ticket:`29229`). | |
* Fixed a regression in Django 1.11 where an empty choice could be initially | |
selected for the ``SelectMultiple`` and ``CheckboxSelectMultiple`` widgets | |
(:ticket:`29273`). | |
============================ | |
Django 1.11.13 release notes | |
============================ | |
*May 1, 2018* | |
Django 1.11.13 fixes several bugs in 1.11.12. | |
Bugfixes | |
======== | |
* Fixed a regression in Django 1.11.8 where altering a field with a unique | |
constraint may drop and rebuild more foreign keys than necessary | |
(:ticket:`29193`). | |
* Fixed crashes in ``django.contrib.admindocs`` when a view is a callable | |
object, such as ``django.contrib.syndication.views.Feed`` (:ticket:`29296`). | |
* Fixed a regression in Django 1.11.12 where ``QuerySet.values()`` or | |
``values_list()`` after combining an annotated and unannotated queryset with | |
``union()``, ``difference()``, or ``intersection()`` crashed due to mismatching | |
columns (:ticket:`29286`). | |
============================ | |
Django 1.11.14 release notes | |
============================ | |
*July 2, 2018* | |
Django 1.11.14 fixes several bugs in 1.11.13. | |
Bugfixes | |
======== | |
* Fixed ``WKBWriter.write()`` and ``write_hex()`` for empty polygons on | |
GEOS 3.6.1+ (:ticket:`29460`). | |
* Fixed a regression in Django 1.10 that could result in large memory usage | |
when making edits using ``ModelAdmin.list_editable`` (:ticket:`28462`). | |
============================ | |
Django 1.11.15 release notes | |
============================ | |
*August 1, 2018* | |
Django 1.11.15 fixes a security issue in 1.11.14. | |
CVE-2018-14574: Open redirect possibility in ``CommonMiddleware`` | |
================================================================= | |
If the :class:`~django.middleware.common.CommonMiddleware` and the | |
:setting:`APPEND_SLASH` setting are both enabled, and if the project has a | |
URL pattern that accepts any path ending in a slash (many content management | |
systems have such a pattern), then a request to a maliciously crafted URL of | |
that site could lead to a redirect to another site, enabling phishing and other | |
attacks. | |
``CommonMiddleware`` now escapes leading slashes to prevent redirects to other | |
domains. | |
============================ | |
Django 1.11.16 release notes | |
============================ | |
*October 1, 2018* | |
Django 1.11.16 fixes a data loss bug in 1.11.15. | |
Bugfixes | |
======== | |
* Fixed a race condition in ``QuerySet.update_or_create()`` that could result | |
in data loss (:ticket:`29499`). | |
============================ | |
Django 1.11.17 release notes | |
============================ | |
*December 3, 2018* | |
Django 1.11.17 fixes several bugs in 1.11.16 and adds compatibility with | |
Python 3.7. | |
Bugfixes | |
======== | |
* Prevented repetitive calls to ``geos_version_tuple()`` in the ``WKBWriter`` | |
class in an attempt to fix a random crash involving ``LooseVersion`` since | |
Django 1.11.14 (:ticket:`29959`). | |
============================ | |
Django 1.11.18 release notes | |
============================ | |
*January 4, 2019* | |
Django 1.11.18 fixes a security issue in 1.11.17. | |
CVE-2019-3498: Content spoofing possibility in the default 404 page | |
------------------------------------------------------------------- | |
An attacker could craft a malicious URL that could make spoofed content appear | |
on the default page generated by the ``django.views.defaults.page_not_found()`` | |
view. | |
The URL path is no longer displayed in the default 404 template and the | |
``request_path`` context variable is now quoted to fix the issue for custom | |
templates that use the path. | |
============================ | |
Django 1.11.19 release notes | |
============================ | |
*February 11, 2019* | |
Django 1.11.19 fixes a security issue in 1.11.18. | |
CVE-2019-6975: Memory exhaustion in ``django.utils.numberformat.format()`` | |
-------------------------------------------------------------------------- | |
If ``django.utils.numberformat.format()`` -- used by ``contrib.admin`` as well | |
as the ``floatformat``, ``filesizeformat``, and ``intcomma`` templates filters | |
-- received a ``Decimal`` with a large number of digits or a large exponent, it | |
could lead to significant memory usage due to a call to ``'{:f}'.format()``. | |
To avoid this, decimals with more than 200 digits are now formatted using | |
scientific notation. | |
============================ | |
Django 1.11.20 release notes | |
============================ | |
*February 11, 2019* | |
Django 1.11.20 fixes a packaging error in 1.11.19. | |
Bugfixes | |
======== | |
* Corrected packaging error from 1.11.19 (:ticket:`30175`). | |
============================ | |
Django 1.11.21 release notes | |
============================ | |
*June 3, 2019* | |
Django 1.11.21 fixes a security issue in 1.11.20. | |
CVE-2019-12308: AdminURLFieldWidget XSS | |
--------------------------------------- | |
The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed | |
the provided value without validating it as a safe URL. Thus, an unvalidated | |
value stored in the database, or a value provided as a URL query parameter | |
payload, could result in an clickable JavaScript link. | |
``AdminURLFieldWidget`` now validates the provided value using | |
:class:`~django.core.validators.URLValidator` before displaying the clickable | |
link. You may customize the validator by passing a ``validator_class`` kwarg to | |
``AdminURLFieldWidget.__init__()``, e.g. when using | |
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`. | |
============================ | |
Django 1.11.22 release notes | |
============================ | |
*July 1, 2019* | |
Django 1.11.22 fixes a security issue in 1.11.21. | |
CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS | |
-------------------------------------------------------------------------------- | |
When deployed behind a reverse-proxy connecting to Django via HTTPS, | |
:attr:`django.http.HttpRequest.scheme` would incorrectly detect client | |
requests made via HTTP as using HTTPS. This entails incorrect results for | |
:meth:`~django.http.HttpRequest.is_secure`, and | |
:meth:`~django.http.HttpRequest.build_absolute_uri`, and that HTTP | |
requests would not be redirected to HTTPS in accordance with | |
:setting:`SECURE_SSL_REDIRECT`. | |
``HttpRequest.scheme`` now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it | |
is configured, and the appropriate header is set on the request, for both HTTP | |
and HTTPS requests. | |
If you deploy Django behind a reverse-proxy that forwards HTTP requests, and | |
that connects to Django via HTTPS, be sure to verify that your application | |
correctly handles code paths relying on ``scheme``, ``is_secure()``, | |
``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``. | |
============================ | |
Django 1.11.23 release notes | |
============================ | |
*August 1, 2019* | |
Django 1.11.23 fixes security issues in 1.11.22. | |
CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator`` | |
================================================================================ | |
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods | |
were passed the ``html=True`` argument, they were extremely slow to evaluate | |
certain inputs due to a catastrophic backtracking vulnerability in a regular | |
expression. The ``chars()`` and ``words()`` methods are used to implement the | |
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template | |
filters, which were thus vulnerable. | |
The regular expressions used by ``Truncator`` have been simplified in order to | |
avoid potential backtracking issues. As a consequence, trailing punctuation may | |
now at times be included in the truncated output. | |
CVE-2019-14233: Denial-of-service possibility in ``strip_tags()`` | |
================================================================= | |
Due to the behavior of the underlying ``HTMLParser``, | |
:func:`django.utils.html.strip_tags` would be extremely slow to evaluate | |
certain inputs containing large sequences of nested incomplete HTML entities. | |
The ``strip_tags()`` method is used to implement the corresponding | |
:tfilter:`striptags` template filter, which was thus also vulnerable. | |
``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress | |
removing tags, but necessarily incomplete HTML entities, stops being made. | |
Remember that absolutely NO guarantee is provided about the results of | |
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a | |
``strip_tags()`` call without escaping it first, for example with | |
:func:`django.utils.html.escape`. | |
CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField`` | |
==================================================================================================== | |
:lookup:`Key and index lookups <jsonfield.key>` for | |
:class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups | |
<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField` | |
were subject to SQL injection, using a suitably crafted dictionary, with | |
dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``. | |
CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()`` | |
===================================================================================== | |
If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead | |
to significant memory usage due to excessive recursion when re-percent-encoding | |
invalid UTF-8 octet sequences. | |
``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8 | |
octet sequences. | |
============================ | |
Django 1.11.24 release notes | |
============================ | |
*September 2, 2019* | |
Django 1.11.24 fixes a regression in 1.11.23. | |
Bugfixes | |
======== | |
* Fixed crash of ``KeyTransform()`` for | |
:class:`~django.contrib.postgres.fields.JSONField` and | |
:class:`~django.contrib.postgres.fields.HStoreField` when using on | |
expressions with params (:ticket:`30672`). | |
============================ | |
Django 1.11.25 release notes | |
============================ | |
*October 1, 2019* | |
Django 1.11.25 fixes a regression in 1.11.23. | |
Bugfixes | |
======== | |
* Fixed a crash when filtering with a ``Subquery()`` annotation of a queryset | |
containing :class:`~django.contrib.postgres.fields.JSONField` or | |
:class:`~django.contrib.postgres.fields.HStoreField` (:ticket:`30769`). | |
============================ | |
Django 1.11.26 release notes | |
============================ | |
*November 4, 2019* | |
Django 1.11.26 fixes a regression in 1.11.25. | |
Bugfixes | |
======== | |
* Fixed a crash when using a ``contains``, ``contained_by``, ``has_key``, | |
``has_keys``, or ``has_any_keys`` lookup on | |
:class:`~django.contrib.postgres.fields.JSONField`, if the right or left hand | |
side of an expression is a key transform (:ticket:`30826`). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment