1. ==========================

  2. Django 3.0.4 release notes

  3. ==========================

  4. 

  5. *March 4, 2020*

  6. 

  7. Django 3.0.4 fixes a security issue and several bugs in 3.0.3.

  8. 

  9. CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle

  10. ============================================================================================================

  11. 

  12. GIS functions and aggregates on Oracle were subject to SQL injection,

  13. using a suitably crafted ``tolerance``.

  14. 

  15. Bugfixes

  16. ========

  17. 

  18. * Fixed a data loss possibility when using caching from async code

  19.   (:ticket:`31253`).

  20. 

  21. * Fixed a regression in Django 3.0 that caused a file response using a

  22.   temporary file to be closed incorrectly (:ticket:`31240`).

  23. 

  24. * Fixed a data loss possibility in the

  25.   :meth:`~django.db.models.query.QuerySet.select_for_update`. When using

  26.   related fields or parent link fields with :ref:`multi-table-inheritance` in

  27.   the ``of`` argument, the corresponding models were not locked

  28.   (:ticket:`31246`).

  29. 

  30. * Fixed a regression in Django 3.0 that caused misplacing parameters in logged

  31.   SQL queries on Oracle (:ticket:`31271`).

  32. 

  33. * Fixed a regression in Django 3.0.3 that caused misplacing parameters of SQL

  34.   queries when subtracting ``DateField`` or ``DateTimeField`` expressions on

  35.   MySQL (:ticket:`31312`).

  36. 

  37. * Fixed a regression in Django 3.0 that didn't include subqueries spanning

  38.   multivalued relations in the ``GROUP BY`` clause (:ticket:`31150`).
About Sign Up Leave Feedback Contact