September 3, 2024
Django 5.1.1 fixes one security issue with severity "moderate", one security issue with severity "low", and several bugs in 5.1.
django.utils.html.urlize()
¶urlize
and urlizetrunc
were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
Due to unhandled email sending failures, the
PasswordResetForm
class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes.
To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger.
Window()
when
passing an empty sequence to the order_by
parameter, and a crash of
Prefetch()
for a sliced queryset without ordering (#35665).usable_password
field was
included in BaseUserCreationForm
(and
children). A new AdminUserCreationForm
including this field was added, isolating the feature to the admin where it
was intended (#35678).stacklevel
in Model.save()
and
Model.asave()
to correctly point to the offending call site
(#35060).stacklevel
when using OS_OPEN_FLAGS
in FileSystemStorage
to correctly point
to the offending call site (#35326).stacklevel
in
FieldCacheMixin.get_cache_name()
to correctly point to the offending call
site (#35405).init_connection_state
method of the PostgreSQL backend (#35688).9月 16, 2024