Django 4.0.6 release notes¶

July 4, 2022

Django 4.0.6 fixes a security issue with severity “high” in 4.0.5.

CVE-2022-34265: Potential SQL injection via `Trunc(kind)` and `Extract(lookup_name)` arguments¶

Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value.

Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

FAQ: Try the FAQ — it's got answers to many common questions.
Index, Module Index, or Table of Contents: Handy when looking for specific information.
django-users mailing list: Search for information in the archives of the django-users mailing list, or post a question.
#django IRC channel: Ask a question in the #django IRC channel, or search the IRC logs to see if it’s been asked before.
Django Discord Server: Join the Django Discord Community.
Official Django Forum: Join the community on the Django Forum.
Ticket tracker: Report bugs with Django or Django documentation in our ticket tracker.

Offline (Django 4.0): HTML | PDF | ePub
Provided by Read the Docs.