django/docs/releases/2.0.3.txt

==========================
Django 2.0.3 release notes
==========================

*March 6, 2018*

Django 2.0.3 fixes two security issues and several bugs in 2.0.2. Also, the
latest string translations from Transifex are incorporated.

CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
===============================================================================================

The ``django.utils.html.urlize()`` function was extremely slow to evaluate
certain inputs due to catastrophic backtracking vulnerabilities in two regular
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
``urlizetrunc`` template filters, which were thus vulnerable.

The problematic regular expressions are replaced with parsing logic that
behaves similarly.

Bugfixes
========

* Fixed a regression that caused sliced ``QuerySet.distinct().order_by()``
  followed by ``count()`` to crash (:ticket:`29108`).

* Prioritized the datetime and time input formats without ``%f`` for the Thai
  locale to fix the admin time picker widget displaying "undefined"
  (:ticket:`29109`).

* Fixed crash with ``QuerySet.order_by(Exists(...))`` (:ticket:`29118`).

* Made ``Q.deconstruct()`` deterministic with multiple keyword arguments
  (:ticket:`29125`). You may need to modify ``Q``'s in existing migrations, or
  accept an autogenerated migration.

* Fixed a regression where a ``When()`` expression with a list argument crashes
  (:ticket:`29166`).

* Fixed crash when using a ``Window()`` expression in a subquery
  (:ticket:`29172`).

* Fixed ``AbstractBaseUser.normalize_username()`` crash if the ``username``
  argument isn't a string (:ticket:`29176`).
[2.0.x] Added stub release notes for 2.0.3. Backport of 7515e1f3fc710001734ff664efd87366d7973c63 from master 2018-02-04 13:10:08 +08:00			`==========================`
			`Django 2.0.3 release notes`
			`==========================`

[2.0.x] Added stub release notes for security releases. 2018-02-25 08:39:17 +08:00			`March 6, 2018`
[2.0.x] Added stub release notes for 2.0.3. Backport of 7515e1f3fc710001734ff664efd87366d7973c63 from master 2018-02-04 13:10:08 +08:00
[2.0.x] Added stub release notes for security releases. 2018-02-25 08:39:17 +08:00			`Django 2.0.3 fixes two security issues and several bugs in 2.0.2. Also, the`
			`latest string translations from Transifex are incorporated.`
[2.0.x] Added stub release notes for 2.0.3. Backport of 7515e1f3fc710001734ff664efd87366d7973c63 from master 2018-02-04 13:10:08 +08:00
[2.0.x] Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters. Thanks Florian Apolloner for assisting with the patch. 2018-02-25 00:30:11 +08:00			CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
			`===============================================================================================`

			The ``django.utils.html.urlize()`` function was extremely slow to evaluate
			`certain inputs due to catastrophic backtracking vulnerabilities in two regular`
			expressions. The ``urlize()`` function is used to implement the ``urlize`` and
			``urlizetrunc`` template filters, which were thus vulnerable.

			`The problematic regular expressions are replaced with parsing logic that`
			`behaves similarly.`

[2.0.x] Added stub release notes for 2.0.3. Backport of 7515e1f3fc710001734ff664efd87366d7973c63 from master 2018-02-04 13:10:08 +08:00			`Bugfixes`
			`========`

[2.0.x] Fixed #29108 -- Fixed crash in aggregation of distinct+ordered+sliced querysets. Regression in 4acae21846f6212aa992763e587c7e201828d7b0. Thanks Stephen Brooks for the report. Backport of d61fe246015aa4fdc6dcb837ffb1442fa71ae586 from master 2018-02-08 22:59:25 +08:00			* Fixed a regression that caused sliced ``QuerySet.distinct().order_by()``
			followed by ``count()`` to crash (:ticket:`29108`).
[2.0.x] Fixed #29109 -- Fixed the admin time picker widget for the Thai locale. Backport of 1a1264f1494976c562c7cb832fe47f3e1e765b8f from master 2018-02-11 05:05:41 +08:00
			* Prioritized the datetime and time input formats without ``%f`` for the Thai
			`locale to fix the admin time picker widget displaying "undefined"`
			(:ticket:`29109`).
[2.0.x] Fixed #29118 -- Fixed crash with QuerySet.order_by(Exists(...)). Backport of bf26f66029bca94b007a2452679ac004598364a6 from master 2018-02-07 11:09:43 +08:00
			* Fixed crash with ``QuerySet.order_by(Exists(...))`` (:ticket:`29118`).
[2.0.x] Fixed #29125 -- Made Q.deconstruct() deterministic with multiple keyword arguments. Backport of b95c49c954e3b75678bb258e9fb2ec30d0d960bb from master 2018-02-13 03:00:29 +08:00
			* Made ``Q.deconstruct()`` deterministic with multiple keyword arguments
			(:ticket:`29125`). You may need to modify ``Q``'s in existing migrations, or
			`accept an autogenerated migration.`
[2.0.x] Fixed #29166 -- Fixed crash in When() expression with a list argument. Thanks Matthew Pava for the report and Tim Graham and Carlton Gibson for reviews. Regression in 19b2dfd1bfe7fd716dd3d8bfa5f972070d83b42f. Backport of 54f80430be4a9adf1fc00b4ca17547415fafc69b from master 2018-03-01 01:05:23 +08:00
			* Fixed a regression where a ``When()`` expression with a list argument crashes
			(:ticket:`29166`).
[2.0.x] Fixed #29172 -- Fixed crash with Window expression in a subquery. Backport of fa352626c2a80bcdcd0fc6492b5fd5130490f05e from master 2018-03-01 15:55:05 +08:00
			* Fixed crash when using a ``Window()`` expression in a subquery
			(:ticket:`29172`).
[2.0.x] Fixed #29176 -- Fixed AbstractBaseUser.normalize_username() crash if username isn't a string. Backport of 40bac28faabbacd0875e59455cd80fb1dbb16966 from master 2018-03-01 22:26:40 +08:00
			* Fixed ``AbstractBaseUser.normalize_username()`` crash if the ``username``
			argument isn't a string (:ticket:`29176`).