Django 3.0.4 版本发行说明
2020 年 3 月 4 日
Django 3.0.4 fixes a security issue and several bugs in 3.0.3.
CVE-2020-9402: Potential SQL injection via tolerance
parameter in GIS functions and aggregates on Oracle
GIS functions and aggregates on Oracle were subject to SQL injection,
using a suitably crafted tolerance
.
漏洞修复
- Fixed a data loss possibility when using caching from async code
(#31253).
- Fixed a regression in Django 3.0 that caused a file response using a
temporary file to be closed incorrectly (#31240).
- Fixed a data loss possibility in the
select_for_update()
. When using
related fields or parent link fields with 多表继承 in
the of
argument, the corresponding models were not locked
(#31246).
- Fixed a regression in Django 3.0 that caused misplacing parameters in logged
SQL queries on Oracle (#31271).
- Fixed a regression in Django 3.0.3 that caused misplacing parameters of SQL
queries when subtracting
DateField
or DateTimeField
expressions on
MySQL (#31312).
- Fixed a regression in Django 3.0 that didn't include subqueries spanning
multivalued relations in the
GROUP BY
clause (#31150).