django/docs/releases/1.11.11.txt

============================
Django 1.11.11 release notes
============================

*March 6, 2018*

Django 1.11.11 fixes two security issues in 1.11.10.

CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
===============================================================================================

The ``django.utils.html.urlize()`` function was extremely slow to evaluate
certain inputs due to catastrophic backtracking vulnerabilities in two regular
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
``urlizetrunc`` template filters, which were thus vulnerable.

The problematic regular expressions are replaced with parsing logic that
behaves similarly.
Added stub release notes for security releases. 2018-02-25 00:39:17 +00:00			`============================`
			`Django 1.11.11 release notes`
			`============================`

			`March 6, 2018`

			`Django 1.11.11 fixes two security issues in 1.11.10.`
Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters. Thanks Florian Apolloner for assisting with the patch. 2018-02-24 16:30:11 +00:00
			CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
			`===============================================================================================`

			The ``django.utils.html.urlize()`` function was extremely slow to evaluate
			`certain inputs due to catastrophic backtracking vulnerabilities in two regular`
			expressions. The ``urlize()`` function is used to implement the ``urlize`` and
			``urlizetrunc`` template filters, which were thus vulnerable.

			`The problematic regular expressions are replaced with parsing logic that`
			`behaves similarly.`