Django 4.2.6 release notes¶
October 4, 2023
Django 4.2.6 fixes a security issue with severity “moderate” and several bugs in 4.2.5.
CVE-2023-43665: Denial-of-service possibility in
Following the fix for CVE-2019-14232, the regular expressions used in the
html=True) were revised and improved. However, these regular
expressions still exhibited linear backtracking complexity, so when given a
very long, potentially malformed HTML input, the evaluation would still be
slow, leading to a potential denial of service vulnerability.
The input processed by
Truncator, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.
Fixed a regression in Django 4.2.5 where overriding the deprecated
STATICFILES_STORAGEsettings in tests caused the main
STORAGESto mutate (#34821).
Fixed a regression in Django 4.2 that caused unnecessary casting of string based fields (
CITextField) used with the
__isnulllookup on PostgreSQL. As a consequence, indexes using an
__isnullexpression or condition created before Django 4.2 wouldn’t be used by the query planner, leading to a performance regression (#34840).
You may need to recreate such indexes created in your database with Django 4.2 to 4.2.5, as they contain unnecessary
::textcasting. Find candidate indexes with this query:
SELECT indexname, indexdef FROM pg_indexes WHERE indexdef LIKE '%::text IS %NULL';