==========================Django 3.2.1 release notes==========================*May 4, 2021*Django 3.2.1 fixes a security issue and several bugs in 3.2.CVE-2021-31542: Potential directory-traversal via uploaded files================================================================``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` alloweddirectory-traversal via uploaded files with suitably crafted file names.In order to mitigate this risk, stricter basename and path sanitation is nowapplied.Bugfixes========* Corrected detection of GDAL 3.2 on Windows (:ticket:`32544`).* Fixed a bug in Django 3.2 where subclasses of ``BigAutoField`` and``SmallAutoField`` were not allowed for the :setting:`DEFAULT_AUTO_FIELD`setting (:ticket:`32620`).* Fixed a regression in Django 3.2 that caused a crash of``QuerySet.values()/values_list()`` after ``QuerySet.union()``,``intersection()``, and ``difference()`` when it was ordered by anunannotated field (:ticket:`32627`).* Restored, following a regression in Django 3.2, displaying an exceptionmessage on the technical 404 debug page (:ticket:`32637`).* Fixed a bug in Django 3.2 where a system check would crash on a reverseone-to-one relationships in ``CheckConstraint.check`` or``UniqueConstraint.condition`` (:ticket:`32635`).* Fixed a regression in Django 3.2 that caused a crash of:attr:`.ModelAdmin.search_fields` when searching against phrases withunbalanced quotes (:ticket:`32649`).* Fixed a bug in Django 3.2 where variable lookup errors were logged renderingthe sitemap template if alternates were not defined (:ticket:`32648`).* Fixed a regression in Django 3.2 that caused a crash when combining ``Q()``objects which contains boolean expressions (:ticket:`32548`).* Fixed a regression in Django 3.2 that caused a crash of ``QuerySet.update()``on a queryset ordered by inherited or joined fields on MySQL and MariaDB(:ticket:`32645`).* Fixed a regression in Django 3.2 that caused a crash when decoding a cookievalue, used by ``django.contrib.messages.storage.cookie.CookieStorage``, inthe pre-Django 3.2 format (:ticket:`32643`).* Fixed a regression in Django 3.2 that stopped the shift-key modifierselecting multiple rows in the admin changelist (:ticket:`32647`).* Fixed a bug in Django 3.2 where a system check would crash on the:setting:`STATICFILES_DIRS` setting with a list of 2-tuples of``(prefix, path)`` (:ticket:`32665`).* Fixed a long standing bug involving queryset bitwise combination when usedwith subqueries that began manifesting in Django 3.2, due to a separate fixusing ``Exists`` to ``exclude()`` multi-valued relationships(:ticket:`32650`).* Fixed a bug in Django 3.2 where variable lookup errors were logged whenrendering some admin templates (:ticket:`32681`).* Fixed a bug in Django 3.2 where an admin changelist would crash when deletingobjects filtered against multi-valued relationships (:ticket:`32682`). Theadmin changelist now uses ``Exists()`` instead of ``QuerySet.distinct()``because calling ``delete()`` after ``distinct()`` is not allowed in Django3.2 to address a data loss possibility.* Fixed a regression in Django 3.2 where the calling process environment wouldnot be passed to the ``dbshell`` command on PostgreSQL (:ticket:`32687`).* Fixed a performance regression in Django 3.2 when building complex filterswith subqueries (:ticket:`32632`). As a side-effect the private API to check``django.db.sql.query.Query`` equality is removed.