Django 5.0.3 release notes¶
March 4, 2024
Django 5.0.3 fixes a security issue with severity “moderate” and several bugs in 5.0.2.
CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
¶
django.utils.text.Truncator.words()
method (with html=True
) and
truncatewords_html
template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to CVE 2019-14232 and CVE 2023-43665).
Bugfixes¶
Fixed a regression in Django 5.0.2 where
intcomma
template filter could return a leading comma for string representation of floats (#35172).Fixed a bug in Django 5.0 that caused a crash of
Signal.asend()
andasend_robust()
when all receivers were asynchronous functions (#35174).Fixed a regression in Django 5.0.1 where
ModelAdmin.lookup_allowed()
would prevent filtering against foreign keys using lookups like__isnull
when the field was not included inModelAdmin.list_filter
(#35173).Fixed a regression in Django 5.0 that caused a crash of
@sensitive_variables
and@sensitive_post_parameters
decorators on functions loaded from.pyc
files (#35187).Fixed a regression in Django 5.0 that caused a crash when reloading a test database and a base queryset for a base manager used
prefetch_related()
(#35238).Fixed a bug in Django 5.0 where facet filters in the admin would crash on a
SimpleListFilter
using a queryset without primary keys (#35198).