django1/docs/releases/3.0.7.txt

==========================
Django 3.0.7 release notes
==========================

*June 3, 2020*

Django 3.0.7 fixes two security issues and several bugs in 3.0.6.

CVE-2020-13254: Potential data leakage via malformed memcached keys
===================================================================

In cases where a memcached backend does not perform key validation, passing
malformed cache keys could result in a key collision, and potential data
leakage. In order to avoid this vulnerability, key validation is added to the
memcached cache backends.

CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
================================================================

Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
ensures query parameters are correctly URL encoded.

Bugfixes
========

* Fixed a regression in Django 3.0 by restoring the ability to use field
  lookups in ``Meta.ordering`` (:ticket:`31538`).

* Fixed a regression in Django 3.0 where ``QuerySet.values()`` and
  ``values_list()`` crashed if a queryset contained an aggregation and a
  subquery annotation (:ticket:`31566`).

* Fixed a regression in Django 3.0 where aggregates used wrong annotations when
  a queryset has multiple subqueries annotations (:ticket:`31568`).

* Fixed a regression in Django 3.0 where ``QuerySet.values()`` and
  ``values_list()`` crashed if a queryset contained an aggregation and an
  ``Exists()`` annotation on Oracle (:ticket:`31584`).

* Fixed a regression in Django 3.0 where all resolved ``Subquery()``
  expressions were considered equal (:ticket:`31607`).

* Fixed a regression in Django 3.0.5 that affected translation loading for apps
  providing translations for territorial language variants as well as a generic
  language, where the project has different plural equations for the language
  (:ticket:`31570`).

* Tracking a jQuery security release, upgraded the version of jQuery used by
  the admin from 3.4.1 to 3.5.1.
Added stub release notes for 3.0.7. 2020-05-04 13:38:35 +08:00			`==========================`
			`Django 3.0.7 release notes`
			`==========================`

Added release date for 2.2.13 and 3.0.7. 2020-06-03 15:13:16 +08:00			`June 3, 2020`
Added stub release notes for 3.0.7. 2020-05-04 13:38:35 +08:00
Updated expected release dates for 3.0.7 and 2.2.13. 2020-05-27 16:19:15 +08:00			`Django 3.0.7 fixes two security issues and several bugs in 3.0.6.`
Added stub release notes for 3.0.7. 2020-05-04 13:38:35 +08:00
Fixed CVE-2020-13254 -- Enforced cache key validation in memcached backends. 2020-05-20 17:45:31 +08:00			`CVE-2020-13254: Potential data leakage via malformed memcached keys`
			`===================================================================`

			`In cases where a memcached backend does not perform key validation, passing`
			`malformed cache keys could result in a key collision, and potential data`
			`leakage. In order to avoid this vulnerability, key validation is added to the`
			`memcached cache backends.`

Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget. 2020-05-26 15:51:02 +08:00			CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
			`================================================================`

			Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
			encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
			`ensures query parameters are correctly URL encoded.`

Added stub release notes for 3.0.7. 2020-05-04 13:38:35 +08:00			`Bugfixes`
			`========`

Fixed #31538 -- Fixed Meta.ordering validation lookups that are not transforms. Regression in 440505cb2cadbe1a5b9fba246bcde6c04f51d07e. Thanks Simon Meers for the report. 2020-05-05 15:08:29 +08:00			`* Fixed a regression in Django 3.0 by restoring the ability to use field`
			lookups in ``Meta.ordering`` (:ticket:`31538`).
Fixed #31566 -- Fixed aliases crash when chaining values()/values_list() after annotate() with aggregations and subqueries. Subquery annotation references must be resolved if they are excluded from the GROUP BY clause by a following .values() call. Regression in fb3f034f1c63160c0ff13c609acd01c18be12f80. Thanks Makina Corpus for the report. 2020-05-14 11:38:29 +08:00
			* Fixed a regression in Django 3.0 where ``QuerySet.values()`` and
			``values_list()`` crashed if a queryset contained an aggregation and a
			subquery annotation (:ticket:`31566`).
Fixed #31568 -- Fixed alias reference when aggregating over multiple subqueries. 691def10a0197d83d2d108bd9043b0916d0f09b4 made all Subquery() instances equal to each other which broke aggregation subquery pushdown which relied on object equality to determine which alias it should select. Subquery.__eq__() will be fixed in an another commit but Query.rewrite_cols() should haved used object identity from the start. Refs #30727, #30188. Thanks Makina Corpus for the report. 2020-05-14 12:14:48 +08:00
			`* Fixed a regression in Django 3.0 where aggregates used wrong annotations when`
			a queryset has multiple subqueries annotations (:ticket:`31568`).
Fixed #31584 -- Fixed crash when chaining values()/values_list() after Exists() annotation and aggregation on Oracle. Oracle requires the EXISTS expression to be wrapped in a CASE WHEN in the GROUP BY clause. Regression in efa1908f662c19038a944129c81462485c4a9fe8. 2020-05-14 21:07:08 +08:00
			* Fixed a regression in Django 3.0 where ``QuerySet.values()`` and
			``values_list()`` crashed if a queryset contained an aggregation and an
			``Exists()`` annotation on Oracle (:ticket:`31584`).
Refs #31607 -- Added release notes for a125da6a7c79b1d4c55677d0bed6f9b1d7d77353. 2020-05-20 15:18:19 +08:00
			* Fixed a regression in Django 3.0 where all resolved ``Subquery()``
			expressions were considered equal (:ticket:`31607`).
Fixed #31570 -- Corrected translation loading for apps providing territorial language variants with different plural equations. Regression in e3e48b00127c09eafe6439d980a82fc5c591b673. Thanks to Shai Berger for report, reproduce and suggested fix. 2020-05-28 16:26:41 +08:00
			`* Fixed a regression in Django 3.0.5 that affected translation loading for apps`
			`providing translations for territorial language variants as well as a generic`
			`language, where the project has different plural equations for the language`
			(:ticket:`31570`).
Refs #31485 -- Added release notes for backport of jQuery upgrade to 3.5.1. 2020-06-02 20:32:43 +08:00
			`* Tracking a jQuery security release, upgraded the version of jQuery used by`
			`the admin from 3.4.1 to 3.5.1.`