django/docs/releases/4.0.4.txt

==========================
Django 4.0.4 release notes
==========================

*April 11, 2022*

Django 4.0.4 fixes two security issues with severity "high" and two bugs in
4.0.3.

CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
====================================================================================================

:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and
:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to these methods.

Bugfixes
========

* Fixed a regression in Django 4.0 that caused ignoring multiple
  ``FilteredRelation()`` relationships to the same field (:ticket:`33598`).

* Fixed a regression in Django 3.2.4 that caused the auto-reloader to no longer
  detect changes when the ``DIRS`` option of the ``TEMPLATES`` setting
  contained an empty string (:ticket:`33628`).
Added stub release notes for Django 4.0.4. 2022-03-01 09:58:35 +01:00			`==========================`
			`Django 4.0.4 release notes`
			`==========================`

Added stub release notes and release date for 4.0.4, 3.2.13, and 2.2.28. 2022-04-01 08:37:19 +02:00			`April 11, 2022`
Added stub release notes for Django 4.0.4. 2022-03-01 09:58:35 +01:00
Fixed #33628 -- Ignored directories with empty names in autoreloader check for template changes. Regression in 68357b2ca9e88c40fc00d848799813241be39129. 2022-04-09 11:36:26 +02:00			`Django 4.0.4 fixes two security issues with severity "high" and two bugs in`
			`4.0.3.`
Added stub release notes for Django 4.0.4. 2022-03-01 09:58:35 +01:00
Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases. Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report. 2022-04-01 08:10:22 +02:00			CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
			`====================================================================================================`

			:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and
			:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
			`aliases, using a suitably crafted dictionary, with dictionary expansion, as the`
			``**kwargs`` passed to these methods.

Added stub release notes for Django 4.0.4. 2022-03-01 09:58:35 +01:00			`Bugfixes`
			`========`

Fixed #33598 -- Reverted "Removed unnecessary reuse_with_filtered_relation argument from Query methods." Thanks lind-marcus for the report. This reverts commit 0c71e0f9cfa714a22297ad31dd5613ee548db379. Regression in 0c71e0f9cfa714a22297ad31dd5613ee548db379. 2022-03-30 07:31:56 +02:00			`* Fixed a regression in Django 4.0 that caused ignoring multiple`
			``FilteredRelation()`` relationships to the same field (:ticket:`33598`).
Fixed #33628 -- Ignored directories with empty names in autoreloader check for template changes. Regression in 68357b2ca9e88c40fc00d848799813241be39129. 2022-04-09 11:36:26 +02:00
			`* Fixed a regression in Django 3.2.4 that caused the auto-reloader to no longer`
			detect changes when the ``DIRS`` option of the ``TEMPLATES`` setting
			contained an empty string (:ticket:`33628`).