Changelog
### 5.1.1
```
==========================
*September 3, 2024*
Django 5.1.1 fixes one security issue with severity "moderate", one security
issue with severity "low", and several bugs in 5.1.
CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================
:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
CVE-2024-45231: Potential user email enumeration via response status on password reset
======================================================================================
Due to unhandled email sending failures, the
:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes.
To mitigate this risk, exceptions occurring during password reset email sending
are now handled and logged using the :ref:`django-contrib-auth-logger` logger.
Bugfixes
========
* Fixed a regression in Django 5.1 that caused a crash of ``Window()`` when
passing an empty sequence to the ``order_by`` parameter, and a crash of
``Prefetch()`` for a sliced queryset without ordering (:ticket:`35665`).
* Fixed a regression in Django 5.1 where a new ``usable_password`` field was
included in :class:`~django.contrib.auth.forms.BaseUserCreationForm` (and
children). A new :class:`~django.contrib.auth.forms.AdminUserCreationForm`
including this field was added, isolating the feature to the admin where it
was intended (:ticket:`35678`).
* Adjusted the deprecation warning ``stacklevel`` in :meth:`.Model.save` and
:meth:`.Model.asave` to correctly point to the offending call site
(:ticket:`35060`).
* Adjusted the deprecation warning ``stacklevel`` when using ``OS_OPEN_FLAGS``
in :class:`~django.core.files.storage.FileSystemStorage` to correctly point
to the offending call site (:ticket:`35326`).
* Adjusted the deprecation warning ``stacklevel`` in
``FieldCacheMixin.get_cache_name()`` to correctly point to the offending call
site (:ticket:`35405`).
* Restored, following a regression in Django 5.1, the ability to override the
timezone and role setting behavior used within the ``init_connection_state``
method of the PostgreSQL backend (:ticket:`35688`).
* Fixed a bug in Django 5.1 where variable lookup errors were logged when
rendering admin fieldsets (:ticket:`35716`).
========================
```
Links
- PyPI: https://pypi.org/project/django
- Changelog: https://data.safetycli.com/changelogs/django/
Changelog
### 5.0.0
```
------------------
- Add formal support for `Django 5.1`
- Remove MonitorField deprecation warning. `None` - instead of
`django.utils.timezone.now` will be used when nullable and no default provided (GH-599)
- Add deprecation warning for MonitorField. The default value will be `None`
instead of `django.utils.timezone.now` - when nullable and without a default.
- Add Brazilian Portuguese translation (GH-578)
- Don't use `post_init` signal for initialize tracker
- Make `contribute_to_class()` in `StatusField`, `MonitorField` and `SplitField`
forward additional arguments to Django
- `SplitField` no longer accepts `no_excerpt_field` as a keyword argument
- Make `soft` argument to `SoftDeletableModel.delete()` keyword-only
- `JoinManager` and `JoinManagerMixin` have been deprecated;
please use ``JoinQueryset.as_manager()`` instead
- Change `SoftDeletableQuerySetMixin.delete` to replicate Django's API.
```
Links
- PyPI: https://pypi.org/project/django-model-utils
- Changelog: https://data.safetycli.com/changelogs/django-model-utils/
- Repo: https://github.com/jazzband/django-model-utils
Changelog
### 1.35.11
```
=======
* api-change:``connect``: [``botocore``] Release ReplicaConfiguration as part of DescribeInstance
* api-change:``datazone``: [``botocore``] Add support to let data publisher specify a subset of the data asset that a subscriber will have access to based on the asset filters provided, when accepting a subscription request.
* api-change:``elbv2``: [``botocore``] This release adds support for configuring TCP idle timeout on NLB and GWLB listeners.
* api-change:``mediaconnect``: [``botocore``] AWS Elemental MediaConnect introduces thumbnails for Flow source monitoring. Thumbnails provide still image previews of the live content feeding your MediaConnect Flow allowing you to easily verify that your source is operating as expected.
* api-change:``medialive``: [``botocore``] Added MinQP as a Rate Control option for H264 and H265 encodes.
* api-change:``sagemaker``: [``botocore``] Amazon SageMaker now supports automatic mounting of a user's home folder in the Amazon Elastic File System (EFS) associated with the SageMaker Studio domain to their Studio Spaces to enable users to share data between their own private spaces.
* api-change:``timestream-influxdb``: [``botocore``] Timestream for InfluxDB now supports compute scaling and deployment type conversion. This release adds the DbInstanceType and DeploymentType parameters to the UpdateDbInstance API.
```
Links
- PyPI: https://pypi.org/project/boto3
- Changelog: https://data.safetycli.com/changelogs/boto3/
- Repo: https://github.com/boto/boto3
pyup-bot
commented
2 weeks ago
Update Django from 5.1 to 5.1.1.
Changelog
### 5.1.1 ``` ========================== *September 3, 2024* Django 5.1.1 fixes one security issue with severity "moderate", one security issue with severity "low", and several bugs in 5.1. CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` =========================================================================================== :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-45231: Potential user email enumeration via response status on password reset ====================================================================================== Due to unhandled email sending failures, the :class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the :ref:`django-contrib-auth-logger` logger. Bugfixes ======== * Fixed a regression in Django 5.1 that caused a crash of ``Window()`` when passing an empty sequence to the ``order_by`` parameter, and a crash of ``Prefetch()`` for a sliced queryset without ordering (:ticket:`35665`). * Fixed a regression in Django 5.1 where a new ``usable_password`` field was included in :class:`~django.contrib.auth.forms.BaseUserCreationForm` (and children). A new :class:`~django.contrib.auth.forms.AdminUserCreationForm` including this field was added, isolating the feature to the admin where it was intended (:ticket:`35678`). * Adjusted the deprecation warning ``stacklevel`` in :meth:`.Model.save` and :meth:`.Model.asave` to correctly point to the offending call site (:ticket:`35060`). * Adjusted the deprecation warning ``stacklevel`` when using ``OS_OPEN_FLAGS`` in :class:`~django.core.files.storage.FileSystemStorage` to correctly point to the offending call site (:ticket:`35326`). * Adjusted the deprecation warning ``stacklevel`` in ``FieldCacheMixin.get_cache_name()`` to correctly point to the offending call site (:ticket:`35405`). * Restored, following a regression in Django 5.1, the ability to override the timezone and role setting behavior used within the ``init_connection_state`` method of the PostgreSQL backend (:ticket:`35688`). * Fixed a bug in Django 5.1 where variable lookup errors were logged when rendering admin fieldsets (:ticket:`35716`). ======================== ```Links
- PyPI: https://pypi.org/project/django - Changelog: https://data.safetycli.com/changelogs/django/Update django-model-utils from 4.5.1 to 5.0.0.
Changelog
### 5.0.0 ``` ------------------ - Add formal support for `Django 5.1` - Remove MonitorField deprecation warning. `None` - instead of `django.utils.timezone.now` will be used when nullable and no default provided (GH-599) - Add deprecation warning for MonitorField. The default value will be `None` instead of `django.utils.timezone.now` - when nullable and without a default. - Add Brazilian Portuguese translation (GH-578) - Don't use `post_init` signal for initialize tracker - Make `contribute_to_class()` in `StatusField`, `MonitorField` and `SplitField` forward additional arguments to Django - `SplitField` no longer accepts `no_excerpt_field` as a keyword argument - Make `soft` argument to `SoftDeletableModel.delete()` keyword-only - `JoinManager` and `JoinManagerMixin` have been deprecated; please use ``JoinQueryset.as_manager()`` instead - Change `SoftDeletableQuerySetMixin.delete` to replicate Django's API. ```Links
- PyPI: https://pypi.org/project/django-model-utils - Changelog: https://data.safetycli.com/changelogs/django-model-utils/ - Repo: https://github.com/jazzband/django-model-utilsUpdate boto3 from 1.35.10 to 1.35.11.
Changelog
### 1.35.11 ``` ======= * api-change:``connect``: [``botocore``] Release ReplicaConfiguration as part of DescribeInstance * api-change:``datazone``: [``botocore``] Add support to let data publisher specify a subset of the data asset that a subscriber will have access to based on the asset filters provided, when accepting a subscription request. * api-change:``elbv2``: [``botocore``] This release adds support for configuring TCP idle timeout on NLB and GWLB listeners. * api-change:``mediaconnect``: [``botocore``] AWS Elemental MediaConnect introduces thumbnails for Flow source monitoring. Thumbnails provide still image previews of the live content feeding your MediaConnect Flow allowing you to easily verify that your source is operating as expected. * api-change:``medialive``: [``botocore``] Added MinQP as a Rate Control option for H264 and H265 encodes. * api-change:``sagemaker``: [``botocore``] Amazon SageMaker now supports automatic mounting of a user's home folder in the Amazon Elastic File System (EFS) associated with the SageMaker Studio domain to their Studio Spaces to enable users to share data between their own private spaces. * api-change:``timestream-influxdb``: [``botocore``] Timestream for InfluxDB now supports compute scaling and deployment type conversion. This release adds the DbInstanceType and DeploymentType parameters to the UpdateDbInstance API. ```Links
- PyPI: https://pypi.org/project/boto3 - Changelog: https://data.safetycli.com/changelogs/boto3/ - Repo: https://github.com/boto/boto3