CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs¶

Internationalized URLs were subject to potential denial of service attack via the locale parameter.

Bugfixes¶

• Fixed a regression in Django 4.1 that caused a migration crash on PostgreSQL when adding a model with ExclusionConstraint (#33982).

• Fixed a regression in Django 4.1 that caused aggregation over a queryset that contained an Exists annotation to crash due to too many selected columns (#33992).

• Fixed a bug in Django 4.1 that caused an incorrect validation of CheckConstraint on NULL values (#33996).

• Fixed a regression in Django 4.1 that caused a QuerySet.values()/values_list() crash on ArrayAgg() and JSONBAgg() (#34016).

• Fixed a bug in Django 4.1 that caused ModelAdmin.autocomplete_fields to be incorrectly selected after adding/changing related instances via popups (#34025).

• Fixed a regression in Django 4.1 where the app registry was not populated when running parallel tests with the multiprocessing start method spawn (#34010).

• Fixed a regression in Django 4.1 where the --debug-mode argument to test did not work when running parallel tests with the multiprocessing start method spawn (#34010).

• Fixed a regression in Django 4.1 that didn’t alter a sequence type when altering type of pre-Django 4.1 serial columns on PostgreSQL (#34058).

• Fixed a regression in Django 4.1 that caused a crash for View subclasses with asynchronous handlers when handling non-allowed HTTP methods (#34062).

• Reverted caching related managers for ForeignKey, ManyToManyField, and GenericRelation that caused the incorrect refreshing of related objects (#33984).

• Relaxed the system check added in Django 4.1 for the same name used for multiple template tag modules to a warning (#32987).