Django - 3.2.5

Security

Django 3.2.5 release notes

July 1, 2021

Django 3.2.5 fixes a security issue with severity “high” and several bugs in
3.2.4. Also, the latest string translations from Transifex are incorporated.

CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order\_by() input

Unsanitized user input passed to QuerySet.order\_by() could bypass intended
column reference validation in path marked for deprecation resulting in a
potential SQL injection even if a deprecation warning is emitted.

As a mitigation the strict column reference validation was restored for the
duration of the deprecation period. This regression appeared in 3.1 as a side
effect of fixing #31426.

The issue is not present in the main branch as the deprecated path has been
removed.

Bugfixes

  • Fixed a regression in Django 3.2 that caused a crash of
    QuerySet.values\_list(…, named=True) after prefetch\_related()
    (#32812).
  • Fixed a bug in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when
    altering BinaryField, JSONField, or TextField to non-nullable
    (#32503).
  • Fixed a regression in Django 3.2 that caused a migration crash on MySQL
    8.0.13+ when adding nullable BinaryField, JSONField, or TextField
    with a default value (#32832).
  • Fixed a bug in Django 3.2 where a system check would crash on a model with an
    invalid app\_label (#32863).

Details

date
July 1, 2021, 6:30 a.m.
type
Patch
official page
https://docs.djangoproject.com/en/4.0/releases/3.2.5/
👇
Register or login to:
  • 🔍View and search all Django releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or