==========================
Django 5.0.3 release notes
==========================

*March 4, 2024*

Django 5.0.3 fixes a security issue with severity "moderate" and several bugs
in 5.0.2.

CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
=========================================================================================================

``django.utils.text.Truncator.words()`` method (with ``html=True``) and
:tfilter:`truncatewords_html` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to :cve:`2019-14232` and :cve:`2023-43665`).

Bugfixes
========

* Fixed a regression in Django 5.0.2 where ``intcomma`` template filter could
  return a leading comma for string representation of floats (:ticket:`35172`).

* Fixed a bug in Django 5.0 that caused a crash of ``Signal.asend()`` and
  ``asend_robust()`` when all receivers were asynchronous functions
  (:ticket:`35174`).

* Fixed a regression in Django 5.0.1 where :meth:`.ModelAdmin.lookup_allowed`
  would prevent filtering against foreign keys using lookups like ``__isnull``
  when the field was not included in :attr:`.ModelAdmin.list_filter`
  (:ticket:`35173`).

* Fixed a regression in Django 5.0 that caused a crash of
  ``@sensitive_variables`` and ``@sensitive_post_parameters`` decorators on
  functions loaded from ``.pyc`` files (:ticket:`35187`).

* Fixed a regression in Django 5.0 that caused a crash when reloading a test
  database and a base queryset for a base manager used ``prefetch_related()``
  (:ticket:`35238`).

* Fixed a bug in Django 5.0 where facet filters in the admin would crash on a
  ``SimpleListFilter`` using a queryset without primary keys (:ticket:`35198`).