Django 3.2.5 release notes
July 1, 2021
Django 3.2.5 fixes a security issue with severity “high” and several bugs in 3.2.4. Also, the latest string translations from Transifex are incorporated.
CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by()
input
Unsanitized user input passed to QuerySet.order_by()
could bypass intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted.
As a mitigation the strict column reference validation was restored for the duration of the deprecation period. This regression appeared in 3.1 as a side effect of fixing #31426.
The issue is not present in the main branch as the deprecated path has been removed.
Bugfixes
- Fixed a regression in Django 3.2 that caused a crash of
QuerySet.values_list(…, named=True)
afterprefetch_related()
(#32812). - Fixed a bug in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when altering
BinaryField
,JSONField
, orTextField
to non-nullable (#32503). - Fixed a regression in Django 3.2 that caused a migration crash on MySQL 8.0.13+ when adding nullable
BinaryField
,JSONField
, orTextField
with a default value (#32832). - Fixed a bug in Django 3.2 where a system check would crash on a model with an invalid
app_label
(#32863).