Django 2.2.13 release notes¶
June 3, 2020
Django 2.2.13 fixes two security issues and a regression in 2.2.12.
CVE-2020-13254: Potential data leakage via malformed memcached keys¶
In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.
CVE-2020-13596: Possible XSS via admin
Query parameters for the admin
ForeignKeyRawIdWidget were not properly URL
encoded, posing an XSS attack vector.
ensures query parameters are correctly URL encoded.
- Fixed a regression in Django 2.2.12 that affected translation loading for apps providing translations for territorial language variants as well as a generic language, where the project has different plural equations for the language (#31570).
- Tracking a jQuery security release, upgraded the version of jQuery used by the admin from 3.3.1 to 3.5.1.