Django 5.0.8 release notes¶
August 6, 2024
Django 5.0.8 fixes three security issues with severity “moderate”, one security issue with severity “high”, and several bugs in 5.0.7.
CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat()
¶
If floatformat
received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.
To avoid this, decimals with more than 200 digits are now returned as is.
CVE-2024-41990: Potential denial-of-service vulnerability in django.utils.html.urlize()
¶
urlize
and urlizetrunc
were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize()
and AdminURLFieldWidget
¶
urlize
, urlizetrunc
, and AdminURLFieldWidget
were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
CVE-2024-42005: Potential SQL injection in QuerySet.values()
and values_list()
¶
QuerySet.values()
and values_list()
methods on models
with a JSONField
were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed *arg
.
Bugfixes¶
Added missing validation for
UniqueConstraint(nulls_distinct=False)
when using*expressions
(#35594).Fixed a regression in Django 5.0 where
ModelAdmin.action_checkbox
could break the admin changelist HTML page when rendering a model instance with a__html__
method (#35606).Fixed a crash when creating a model with a
Field.db_default
and aMeta.constraints
constraint composed of__endswith
,__startswith
, or__contains
lookups (#35625).Fixed a regression in Django 5.0.7 that caused a crash in
LocaleMiddleware
when processing a language code over 500 characters (#35627).Fixed a bug in Django 5.0 that caused a system check crash when
ModelAdmin.date_hierarchy
was aGeneratedField
with anoutput_field
ofDateField
orDateTimeField
(#35628).Fixed a bug in Django 5.0 which caused constraint validation to either crash or incorrectly raise validation errors for constraints referring to fields using
Field.db_default
(#35638).Fixed a crash in Django 5.0 when saving a model containing a
FileField
with adb_default
set (#35657).