Django

===========================

*February 19, 2021*

Django 3.0.13 fixes a security issue in 3.0.12.

CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()``
=================================================================================

Django contains a copy of :func:`urllib.parse.parse_qsl` which was added to
backport some security fixes. A further security fix has been issued recently
such that ``parse_qsl()`` no longer allows using ``;`` as a query parameter
separator by default. Django now includes this fix. See :bpo:`42967` for
further details.


===========================

===========================

*February 1, 2021*

Django 3.0.12 fixes a security issue with severity "low" in 3.0.11.

CVE-2021-3281: Potential directory-traversal via ``archive.extract()``
======================================================================

The ``django.utils.archive.extract()`` function, used by
:option:`startapp --template` and :option:`startproject --template`, allowed
directory-traversal via an archive with absolute paths or relative paths with
dot segments.


===========================

===========================

*November 2, 2020*

Django 3.0.11 fixes a regression in 3.0.7 and adds compatibility with Python
3.9.

Bugfixes
========

* Fixed a regression in Django 3.0.7 that didn't use ``Subquery()`` aliases in
the ``GROUP BY`` clause (:ticket:`32152`).


===========================

===========================

*September 1, 2020*

Django 3.0.10 fixes two security issues and two data loss bugs in 3.0.9.

CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
======================================================================================

On Python 3.7+, :setting:`FILE_UPLOAD_DIRECTORY_PERMISSIONS` mode was not
applied to intermediate-level directories created in the process of uploading
files and to intermediate-level collected static directories when using the
:djadmin:`collectstatic` management command.

You should review and manually fix permissions on existing intermediate-level
directories.

CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
===============================================================================================================

On Python 3.7+, the intermediate-level directories of the file system cache had
the system's standard umask rather than ``0o077`` (no group or others
permissions).

Bugfixes
========

* Fixed a data loss possibility in the
:meth:`~django.db.models.query.QuerySet.select_for_update()`. When using
related fields pointing to a proxy model in the ``of`` argument, the
corresponding model was not locked (:ticket:`31866`).

* Fixed a data loss possibility, following a regression in Django 2.0, when
copying model instances with a cached fields value (:ticket:`31863`).


==========================

==========================

*August 3, 2020*

Django 3.0.9 fixes several bugs in 3.0.8.

Bugfixes
========

* Allowed setting the ``SameSite`` cookie flag in
:meth:`.HttpResponse.delete_cookie` (:ticket:`31790`).

* Fixed crash when sending emails to addresses with display names longer than
75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+ (:ticket:`31784`).


==========================

==========================

*July 1, 2020*

Django 3.0.8 fixes several bugs in 3.0.7.

Bugfixes
========

* Fixed messages of ``InvalidCacheKey`` exceptions and ``CacheKeyWarning``
warnings raised by cache key validation (:ticket:`31654`).

* Fixed a regression in Django 3.0.7 that caused a queryset crash when grouping
by a many-to-one relationship (:ticket:`31660`).

* Reallowed, following a regression in Django 3.0, non-expressions having a
``filterable`` attribute to be used as the right-hand side in queryset
filters (:ticket:`31664`).

* Fixed a regression in Django 3.0.2 that caused a migration crash on
PostgreSQL when adding a foreign key to a model with a namespaced
``db_table`` (:ticket:`31735`).

* Added compatibility for ``cx_Oracle`` 8 (:ticket:`31751`).


==========================