========================== Django 5.0.8 release notes ========================== *August 6, 2024* Django 5.0.8 fixes three security issues with severity "moderate", one security issue with severity "high", and several bugs in 5.0.7. CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()`` ================================================================================ If :tfilter:`floatformat` received a string representation of a number in scientific notation with a large exponent, it could lead to significant memory consumption. To avoid this, decimals with more than 200 digits are now returned as is. CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` =========================================================================================== :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget`` ======================================================================================================================= :tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()`` ====================================================================================== :meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models with a ``JSONField`` were subject to SQL injection in column aliases, via a crafted JSON object key as a passed ``*arg``. Bugfixes ======== * Added missing validation for ``UniqueConstraint(nulls_distinct=False)`` when using ``*expressions`` (:ticket:`35594`). * Fixed a regression in Django 5.0 where ``ModelAdmin.action_checkbox`` could break the admin changelist HTML page when rendering a model instance with a ``__html__`` method (:ticket:`35606`). * Fixed a crash when creating a model with a ``Field.db_default`` and a ``Meta.constraints`` constraint composed of ``__endswith``, ``__startswith``, or ``__contains`` lookups (:ticket:`35625`). * Fixed a regression in Django 5.0.7 that caused a crash in ``LocaleMiddleware`` when processing a language code over 500 characters (:ticket:`35627`). * Fixed a bug in Django 5.0 that caused a system check crash when ``ModelAdmin.date_hierarchy`` was a ``GeneratedField`` with an ``output_field`` of ``DateField`` or ``DateTimeField`` (:ticket:`35628`). * Fixed a bug in Django 5.0 which caused constraint validation to either crash or incorrectly raise validation errors for constraints referring to fields using ``Field.db_default`` (:ticket:`35638`). * Fixed a crash in Django 5.0 when saving a model containing a ``FileField`` with a ``db_default`` set (:ticket:`35657`).