June 3, 2020
Django 3.0.7 fixes two security issues and several bugs in 3.0.6.
CVE-2020-13254: Potential data leakage via malformed memcached keys
In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.
CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget
Query parameters for the admin ForeignKeyRawIdWidget
were not properly URL
encoded, posing an XSS attack vector. ForeignKeyRawIdWidget
now
ensures query parameters are correctly URL encoded.
漏洞修复
- Fixed a regression in Django 3.0 by restoring the ability to use field
lookups in
Meta.ordering
(#31538). - Fixed a regression in Django 3.0 where
QuerySet.values()
andvalues_list()
crashed if a queryset contained an aggregation and a subquery annotation (#31566). - Fixed a regression in Django 3.0 where aggregates used wrong annotations when a queryset has multiple subqueries annotations (#31568).
- Fixed a regression in Django 3.0 where
QuerySet.values()
andvalues_list()
crashed if a queryset contained an aggregation and anExists()
annotation on Oracle (#31584). - Fixed a regression in Django 3.0 where all resolved
Subquery()
expressions were considered equal (#31607). - Fixed a regression in Django 3.0.5 that affected translation loading for apps providing translations for territorial language variants as well as a generic language, where the project has different plural equations for the language (#31570).
- Tracking a jQuery security release, upgraded the version of jQuery used by the admin from 3.4.1 to 3.5.1.
讨论区