1. ===========================

  2. Django 3.2.13 release notes

  3. ===========================

  4. 

  5. *April 11, 2022*

  6. 

  7. Django 3.2.13 fixes two security issues with severity "high" in

  8. 3.2.12 and a regression in 3.2.4.

  9. 

  10. CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``

  11. ====================================================================================================

  12. 

  13. :meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and

  14. :meth:`~.QuerySet.extra` methods were subject to SQL injection in column

  15. aliases, using a suitably crafted dictionary, with dictionary expansion, as the

  16. ``**kwargs`` passed to these methods.

  17. 

  18. CVE-2022-28347: Potential SQL injection via ``QuerySet.explain(**options)`` on PostgreSQL

  19. =========================================================================================

  20. 

  21. :meth:`.QuerySet.explain` method was subject to SQL injection in option names,

  22. using a suitably crafted dictionary, with dictionary expansion, as the

  23. ``**options`` argument.

  24. 

  25. Bugfixes

  26. ========

  27. 

  28. * Fixed a regression in Django 3.2.4 that caused the auto-reloader to no longer

  29.   detect changes when the ``DIRS`` option of the ``TEMPLATES`` setting

  30.   contained an empty string (:ticket:`33628`).
About Sign Up Leave Feedback Contact