1. ==========================

  2. Django 4.0.1 release notes

  3. ==========================

  4. 

  5. *January 4, 2022*

  6. 

  7. Django 4.0.1 fixes one security issue with severity "medium", two security

  8. issues with severity "low", and several bugs in 4.0.

  9. 

  10. CVE-2021-45115: Denial-of-service possibility in ``UserAttributeSimilarityValidator``

  11. =====================================================================================

  12. 

  13. :class:`.UserAttributeSimilarityValidator` incurred significant overhead

  14. evaluating submitted password that were artificially large in relative to the

  15. comparison values. On the assumption that access to user registration was

  16. unrestricted this provided a potential vector for a denial-of-service attack.

  17. 

  18. In order to mitigate this issue, relatively long values are now ignored by

  19. ``UserAttributeSimilarityValidator``.

  20. 

  21. This issue has severity "medium" according to the :ref:`Django security policy

  22. <security-disclosure>`.

  23. 

  24. CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter

  25. ================================================================================

  26. 

  27. Due to leveraging the Django Template Language's variable resolution logic, the

  28. :tfilter:`dictsort` template filter was potentially vulnerable to information

  29. disclosure or unintended method calls, if passed a suitably crafted key.

  30. 

  31. In order to avoid this possibility, ``dictsort`` now works with a restricted

  32. resolution logic, that will not call methods, nor allow indexing on

  33. dictionaries.

  34. 

  35. As a reminder, all untrusted user input should be validated before use.

  36. 

  37. This issue has severity "low" according to the :ref:`Django security policy

  38. <security-disclosure>`.

  39. 

  40. CVE-2021-45452: Potential directory-traversal via ``Storage.save()``

  41. ====================================================================

  42. 

  43. ``Storage.save()`` allowed directory-traversal if directly passed suitably

  44. crafted file names.

  45. 

  46. This issue has severity "low" according to the :ref:`Django security policy

  47. <security-disclosure>`.

  48. 

  49. Bugfixes

  50. ========

  51. 

  52. * Fixed a regression in Django 4.0 that caused a crash of

  53.   :meth:`~django.test.SimpleTestCase.assertFormsetError` on a formset named

  54.   ``form`` (:ticket:`33346`).

  55. 

  56. * Fixed a bug in Django 4.0 that caused a crash on booleans with the

  57.   ``RedisCache`` backend (:ticket:`33361`).

  58. 

  59. * Relaxed the check added in Django 4.0 to reallow use of a duck-typed

  60.   ``HttpRequest`` in ``django.views.decorators.cache.cache_control()`` and

  61.   ``never_cache()`` decorators (:ticket:`33350`).

  62. 

  63. * Fixed a regression in Django 4.0 that caused creating bogus migrations for

  64.   models that reference swappable models such as ``auth.User``

  65.   (:ticket:`33366`).

  66. 

  67. * Fixed a long standing bug in :ref:`geos-geometry-collections` and

  68.   :class:`~django.contrib.gis.geos.Polygon` that caused a crash on some

  69.   platforms (reported on macOS based on the ``ARM64`` architecture)

  70.   (:ticket:`32600`).
About Sign Up Leave Feedback Contact