1. ==========================

  2. Django 3.2.5 release notes

  3. ==========================

  4. 

  5. *July 1, 2021*

  6. 

  7. Django 3.2.5 fixes a security issue with severity "high" and several bugs in

  8. 3.2.4. Also, the latest string translations from Transifex are incorporated.

  9. 

  10. CVE-2021-35042: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input

  11. =====================================================================================

  12. 

  13. Unsanitized user input passed to ``QuerySet.order_by()`` could bypass intended

  14. column reference validation in path marked for deprecation resulting in a

  15. potential SQL injection even if a deprecation warning is emitted.

  16. 

  17. As a mitigation the strict column reference validation was restored for the

  18. duration of the deprecation period. This regression appeared in 3.1 as a side

  19. effect of fixing :ticket:`31426`.

  20. 

  21. The issue is not present in the main branch as the deprecated path has been

  22. removed.

  23. 

  24. Bugfixes

  25. ========

  26. 

  27. * Fixed a regression in Django 3.2 that caused a crash of

  28.   ``QuerySet.values_list(…, named=True)`` after ``prefetch_related()``

  29.   (:ticket:`32812`).

  30. 

  31. * Fixed a bug in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when

  32.   altering ``BinaryField``, ``JSONField``, or ``TextField`` to non-nullable

  33.   (:ticket:`32503`).

  34. 

  35. * Fixed a regression in Django 3.2 that caused a migration crash on MySQL

  36.   8.0.13+ when adding nullable ``BinaryField``, ``JSONField``, or ``TextField``

  37.   with a default value (:ticket:`32832`).

  38. 

  39. * Fixed a bug in Django 3.2 where a system check would crash on a model with an

  40.   invalid ``app_label`` (:ticket:`32863`).
About Sign Up Leave Feedback Contact