Changelog
### 2.1.7
```
==========================
*February 11, 2019*
Django 2.1.7 fixes a packaging error in 2.1.6.
Bugfixes
========
* Corrected packaging error from 2.1.6 (:ticket:`30175`).
==========================
```
### 2.1.6
```
==========================
*February 11, 2019*
Django 2.1.6 fixes a security issue and a bug in 2.1.5.
CVE-2019-6975: Memory exhaustion in ``django.utils.numberformat.format()``
--------------------------------------------------------------------------
If ``django.utils.numberformat.format()`` -- used by ``contrib.admin`` as well
as the the ``floatformat``, ``filesizeformat``, and ``intcomma`` templates
filters -- received a ``Decimal`` with a large number of digits or a large
exponent, it could lead to significant memory usage due to a call to
``'{:f}'.format()``.
To avoid this, decimals with more than 200 digits are now formatted using
scientific notation.
Bugfixes
========
* Made the ``obj`` argument of ``InlineModelAdmin.has_add_permission()``
optional to restore backwards compatibility with third-party code that
doesn't provide it (:ticket:`30097`).
==========================
```
### 2.1.5
```
==========================
*January 4, 2019*
Django 2.1.5 fixes a security issue and several bugs in 2.1.4.
CVE-2019-3498: Content spoofing possibility in the default 404 page
-------------------------------------------------------------------
An attacker could craft a malicious URL that could make spoofed content appear
on the default page generated by the ``django.views.defaults.page_not_found()``
view.
The URL path is no longer displayed in the default 404 template and the
``request_path`` context variable is now quoted to fix the issue for custom
templates that use the path.
Bugfixes
========
* Fixed compatibility with mysqlclient 1.3.14 (:ticket:`30013`).
* Fixed a schema corruption issue on SQLite 3.26+. You might have to drop and
rebuild your SQLite database if you applied a migration while using an older
version of Django with SQLite 3.26 or later (:ticket:`29182`).
* Prevented SQLite schema alterations while foreign key checks are enabled to
avoid the possibility of schema corruption (:ticket:`30023`).
* Fixed a regression in Django 2.1.4 (which enabled keep-alive connections)
where request body data isn't properly consumed for such connections
(:ticket:`30015`).
* Fixed a regression in Django 2.1.4 where
``InlineModelAdmin.has_change_permission()`` is incorrectly called with a
non-``None`` ``obj`` argument during an object add (:ticket:`30050`).
==========================
```
### 2.1.4
```
==========================
*December 3, 2018*
Django 2.1.4 fixes several bugs in 2.1.3.
Bugfixes
========
* Corrected the default password list that ``CommonPasswordValidator`` uses by
lowercasing all passwords to match the format expected by the validator
(:ticket:`29952`).
* Prevented repetitive calls to ``geos_version_tuple()`` in the ``WKBWriter``
class in an attempt to fix a random crash involving ``LooseVersion``
(:ticket:`29959`).
* Fixed keep-alive support in ``runserver`` after it was disabled to fix
another issue in Django 2.0 (:ticket:`29849`).
* Fixed admin view-only change form crash when using
``ModelAdmin.prepopulated_fields`` (:ticket:`29929`).
* Fixed "Please correct the errors below" error message when editing an object
in the admin if the user only has the "view" permission on inlines
(:ticket:`29930`).
==========================
```
Links
- PyPI: https://pypi.org/project/django
- Changelog: https://pyup.io/changelogs/django/
- Homepage: https://www.djangoproject.com/
pyup-bot
commented
5 years ago
This PR updates Django from 2.1.3 to 2.1.7.
Changelog
### 2.1.7 ``` ========================== *February 11, 2019* Django 2.1.7 fixes a packaging error in 2.1.6. Bugfixes ======== * Corrected packaging error from 2.1.6 (:ticket:`30175`). ========================== ``` ### 2.1.6 ``` ========================== *February 11, 2019* Django 2.1.6 fixes a security issue and a bug in 2.1.5. CVE-2019-6975: Memory exhaustion in ``django.utils.numberformat.format()`` -------------------------------------------------------------------------- If ``django.utils.numberformat.format()`` -- used by ``contrib.admin`` as well as the the ``floatformat``, ``filesizeformat``, and ``intcomma`` templates filters -- received a ``Decimal`` with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to ``'{:f}'.format()``. To avoid this, decimals with more than 200 digits are now formatted using scientific notation. Bugfixes ======== * Made the ``obj`` argument of ``InlineModelAdmin.has_add_permission()`` optional to restore backwards compatibility with third-party code that doesn't provide it (:ticket:`30097`). ========================== ``` ### 2.1.5 ``` ========================== *January 4, 2019* Django 2.1.5 fixes a security issue and several bugs in 2.1.4. CVE-2019-3498: Content spoofing possibility in the default 404 page ------------------------------------------------------------------- An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the ``django.views.defaults.page_not_found()`` view. The URL path is no longer displayed in the default 404 template and the ``request_path`` context variable is now quoted to fix the issue for custom templates that use the path. Bugfixes ======== * Fixed compatibility with mysqlclient 1.3.14 (:ticket:`30013`). * Fixed a schema corruption issue on SQLite 3.26+. You might have to drop and rebuild your SQLite database if you applied a migration while using an older version of Django with SQLite 3.26 or later (:ticket:`29182`). * Prevented SQLite schema alterations while foreign key checks are enabled to avoid the possibility of schema corruption (:ticket:`30023`). * Fixed a regression in Django 2.1.4 (which enabled keep-alive connections) where request body data isn't properly consumed for such connections (:ticket:`30015`). * Fixed a regression in Django 2.1.4 where ``InlineModelAdmin.has_change_permission()`` is incorrectly called with a non-``None`` ``obj`` argument during an object add (:ticket:`30050`). ========================== ``` ### 2.1.4 ``` ========================== *December 3, 2018* Django 2.1.4 fixes several bugs in 2.1.3. Bugfixes ======== * Corrected the default password list that ``CommonPasswordValidator`` uses by lowercasing all passwords to match the format expected by the validator (:ticket:`29952`). * Prevented repetitive calls to ``geos_version_tuple()`` in the ``WKBWriter`` class in an attempt to fix a random crash involving ``LooseVersion`` (:ticket:`29959`). * Fixed keep-alive support in ``runserver`` after it was disabled to fix another issue in Django 2.0 (:ticket:`29849`). * Fixed admin view-only change form crash when using ``ModelAdmin.prepopulated_fields`` (:ticket:`29929`). * Fixed "Please correct the errors below" error message when editing an object in the admin if the user only has the "view" permission on inlines (:ticket:`29930`). ========================== ```Links
- PyPI: https://pypi.org/project/django - Changelog: https://pyup.io/changelogs/django/ - Homepage: https://www.djangoproject.com/