Django

Latest version: v5.0.3

Safety actively analyzes 613649 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 29 of 52

1.11.14

Not secure
============================

*July 2, 2018*

Django 1.11.14 fixes several bugs in 1.11.13.

Bugfixes
========

* Fixed ``WKBWriter.write()`` and ``write_hex()`` for empty polygons on
GEOS 3.6.1+ (:ticket:`29460`).

* Fixed a regression in Django 1.10 that could result in large memory usage
when making edits using ``ModelAdmin.list_editable`` (:ticket:`28462`).


============================

1.11.13

Not secure
============================

*May 1, 2018*

Django 1.11.13 fixes several bugs in 1.11.12.

Bugfixes
========

* Fixed a regression in Django 1.11.8 where altering a field with a unique
constraint may drop and rebuild more foreign keys than necessary
(:ticket:`29193`).

* Fixed crashes in ``django.contrib.admindocs`` when a view is a callable
object, such as ``django.contrib.syndication.views.Feed`` (:ticket:`29296`).

* Fixed a regression in Django 1.11.12 where ``QuerySet.values()`` or
``values_list()`` after combining an annotated and unannotated queryset with
``union()``, ``difference()``, or ``intersection()`` crashed due to mismatching
columns (:ticket:`29286`).


============================

1.11.12

Not secure
============================

*April 2, 2018*

Django 1.11.12 fixes two bugs in 1.11.11.

Bugfixes
========

* Fixed a regression in Django 1.11.8 where combining two annotated
``values_list()`` querysets with ``union()``, ``difference()``, or
``intersection()`` crashed due to mismatching columns (:ticket:`29229`).

* Fixed a regression in Django 1.11 where an empty choice could be initially
selected for the ``SelectMultiple`` and ``CheckboxSelectMultiple`` widgets
(:ticket:`29273`).


============================

1.11.11

Not secure
============================

*March 6, 2018*

Django 1.11.11 fixes two security issues in 1.11.10.

CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
===============================================================================================

The ``django.utils.html.urlize()`` function was extremely slow to evaluate
certain inputs due to catastrophic backtracking vulnerabilities in two regular
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
``urlizetrunc`` template filters, which were thus vulnerable.

The problematic regular expressions are replaced with parsing logic that
behaves similarly.

CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters
==================================================================================================================

If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were
passed the ``html=True`` argument, they were extremely slow to evaluate certain
inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to implement the
``truncatechars_html`` and ``truncatewords_html`` template filters, which were
thus vulnerable.

The backtracking problem in the regular expression is fixed.


============================

1.11.10

Not secure
============================

*February 1, 2018*

Django 1.11.10 fixes a security issue and several bugs in 1.11.9.

CVE-2018-6188: Information leakage in ``AuthenticationForm``
============================================================

A regression in Django 1.11.8 made
:class:`~django.contrib.auth.forms.AuthenticationForm` run its
``confirm_login_allowed()`` method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't
overridden, an attacker enter an arbitrary username and see if that user has
been set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,
more sensitive details could be leaked.

This issue is fixed with the caveat that ``AuthenticationForm`` can no longer
raise the "This account is inactive." error if the authentication backend
rejects inactive users (the default authentication backend, ``ModelBackend``,
has done that since Django 1.10). This issue will be revisited for Django 2.1
as a fix to address the caveat will likely be too invasive for inclusion in
older versions.

Bugfixes
========

* Fixed incorrect foreign key nullification if a model has two foreign keys to
the same model and a target model is deleted (:ticket:`29016`).

* Fixed a regression where ``contrib.auth.authenticate()`` crashes if an
authentication backend doesn't accept ``request`` and a later one does
(:ticket:`29071`).

* Fixed crash when entering an invalid uuid in ``ModelAdmin.raw_id_fields``
(:ticket:`29094`).


===========================

1.11.9

Not secure
===========================

*January 1, 2018*

Django 1.11.9 fixes several bugs in 1.11.8.

Bugfixes
========

* Fixed a regression in Django 1.11 that added newlines between ``MultiWidget``'s
subwidgets (:ticket:`28890`).

* Fixed incorrect class-based model index name generation for models with
quoted ``db_table`` (:ticket:`28876`).

* Fixed incorrect foreign key constraint name for models with quoted
``db_table`` (:ticket:`28876`).

* Fixed a regression in caching of a ``GenericForeignKey`` when the referenced
model instance uses more than one level of multi-table inheritance
(:ticket:`28856`).


===========================

Page 29 of 52

Links

Releases

Has known vulnerabilities

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.