==========================Django 3.1.1 release notes==========================*September 1, 2020*Django 3.1.1 fixes two security issues and several bugs in 3.1.CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+======================================================================================On Python 3.7+, :setting:`FILE_UPLOAD_DIRECTORY_PERMISSIONS` mode was notapplied to intermediate-level directories created in the process of uploadingfiles and to intermediate-level collected static directories when using the:djadmin:`collectstatic` management command.You should review and manually fix permissions on existing intermediate-leveldirectories.CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+===============================================================================================================On Python 3.7+, the intermediate-level directories of the file system cache hadthe system's standard umask rather than ``0o077`` (no group or otherspermissions).Bugfixes========* Fixed wrapping of translated action labels in the admin's navigation sidebarfor East Asian languages (:ticket:`31853`).* Fixed wrapping of long model names in the admin's navigation sidebar(:ticket:`31854`).* Fixed encoding session data while upgrading multiple instances of the sameproject to Django 3.1 (:ticket:`31864`).* Adjusted admin's navigation sidebar template to reduce debug logging whenrendering (:ticket:`31865`).* Fixed a data loss possibility in the:meth:`~django.db.models.query.QuerySet.select_for_update()`. When usingrelated fields pointing to a proxy model in the ``of`` argument, thecorresponding model was not locked (:ticket:`31866`).* Fixed a data loss possibility, following a regression in Django 2.0, whencopying model instances with a cached fields value (:ticket:`31863`).* Fixed a regression in Django 3.1 that caused a crash when decoding an invalidsession data (:ticket:`31895`).* Reverted a deprecation in Django 3.1 that caused a crash when passingdeprecated keyword arguments to a queryset in``TemplateView.get_context_data()`` (:ticket:`31877`).* Enforced thread sensitivity of the :class:`MiddlewareMixin.process_request()<django.utils.deprecation.MiddlewareMixin>` and ``process_response()`` hookswhen in an async context (:ticket:`31905`).* Fixed ``__in`` lookup on key transforms for:class:`~django.db.models.JSONField` with MariaDB, MySQL, Oracle, and SQLite(:ticket:`31936`).* Fixed a regression in Django 3.1 that caused permission errors in``CommonPasswordValidator`` and ``settings.py`` generated by the:djadmin:`startproject` command, when user didn't have permissions to allintermediate directories in a Django installation path (:ticket:`31912`).* Fixed detecting an async ``get_response`` callable in various builtinmiddlewares (:ticket:`31928`).* Fixed a ``QuerySet.order_by()`` crash on PostgreSQL when ordering andgrouping by :class:`~django.db.models.JSONField` with a custom:attr:`~django.db.models.JSONField.decoder` (:ticket:`31956`). As aconsequence, fetching a ``JSONField`` with raw SQL now returns a stringinstead of preloaded data. You will need to explicitly call ``json.loads()``in such cases.* Fixed a ``QuerySet.delete()`` crash on MySQL, following a performanceregression in Django 3.1 on MariaDB 10.3.2+, when filtering against anaggregate function (:ticket:`31965`).* Fixed a ``django.contrib.admin.EmptyFieldListFilter`` crash when using onreverse relations (:ticket:`31952`).* Prevented content overflowing in the admin changelist view when thenavigation sidebar is enabled (:ticket:`31901`).