Django/django
11
0
Fork 0
Code Pull Requests Projects Releases Activity
django/docs/releases/3.2.5.txt
Simon Charette a34a5f724c [3.2.x] Fixed CVE-2021-35042 -- Prevented SQL injection in QuerySet.order_by(). 
Regression introduced in 513948735b799239f3ef8c89397592445e1a0cd5
by marking the raw SQL column reference feature for deprecation in
Django 4.0 while lifting the column format validation.

In retrospective the validation should have been kept around and the
user should have been pointed at using RawSQL expressions during the
deprecation period.

The main branch is not affected because the raw SQL column reference
support has been removed in 06eec3197009b88e3a633128bbcbd76eea0b46ff
per the 4.0 deprecation life cycle.

Thanks Joel Saunders for the report.
2021-07-01 08:29:23 +02:00

41 lines
1.6 KiB
Plaintext
Raw Blame History

==========================
Django 3.2.5 release notes
==========================
*July 1, 2021*
Django 3.2.5 fixes a security issue with severity "high" and several bugs in
3.2.4. Also, the latest string translations from Transifex are incorporated.
CVE-2021-35042: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input
=====================================================================================
Unsanitized user input passed to ``QuerySet.order_by()`` could bypass intended
column reference validation in path marked for deprecation resulting in a
potential SQL injection even if a deprecation warning is emitted.
As a mitigation the strict column reference validation was restored for the
duration of the deprecation period. This regression appeared in 3.1 as a side
effect of fixing :ticket:`31426`.
The issue is not present in the main branch as the deprecated path has been
removed.
Bugfixes
========
* Fixed a regression in Django 3.2 that caused a crash of
``QuerySet.values_list(…, named=True)`` after ``prefetch_related()``
(:ticket:`32812`).
* Fixed a bug in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when
altering ``BinaryField``, ``JSONField``, or ``TextField`` to non-nullable
(:ticket:`32503`).
* Fixed a regression in Django 3.2 that caused a migration crash on MySQL
8.0.13+ when adding nullable ``BinaryField``, ``JSONField``, or ``TextField``
with a default value (:ticket:`32832`).
* Fixed a bug in Django 3.2 where a system check would crash on a model with an
invalid ``app_label`` (:ticket:`32863`).
View Git Blame Copy Permalink