June 3, 2020
Django 3.0.7 fixes two security issues and several bugs in 3.0.6.
In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.
ForeignKeyRawIdWidget
¶Query parameters for the admin ForeignKeyRawIdWidget
were not properly URL
encoded, posing an XSS attack vector. ForeignKeyRawIdWidget
now
ensures query parameters are correctly URL encoded.
Meta.ordering
(#31538).QuerySet.values()
and
values_list()
crashed if a queryset contained an aggregation and a
subquery annotation (#31566).QuerySet.values()
and
values_list()
crashed if a queryset contained an aggregation and an
Exists()
annotation on Oracle (#31584).Subquery()
expressions were considered equal (#31607).Jul 27, 2022