Django 3.0.4 リリースノート

March 4, 2020

Django 3.0.4では、3.0.3にあったセキュリティの問題といくつかのバグを修正しました。

CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle

GIS functions and aggregates on Oracle were subject to SQL injection, using a suitably crafted tolerance.

Bugfixes

  • Fixed a data loss possibility when using caching from async code (#31253).
  • Fixed a regression in Django 3.0 that caused a file response using a temporary file to be closed incorrectly (#31240).
  • Fixed a data loss possibility in the select_for_update(). When using related fields or parent link fields with 複数テーブルの継承 in the of argument, the corresponding models were not locked (#31246).
  • Fixed a regression in Django 3.0 that caused misplacing parameters in logged SQL queries on Oracle (#31271).
  • Fixed a regression in Django 3.0.3 that caused misplacing parameters of SQL queries when subtracting DateField or DateTimeField expressions on MySQL (#31312).
  • Fixed a regression in Django 3.0 that didn't include subqueries spanning multivalued relations in the GROUP BY clause (#31150).