django/docs/releases/4.2.14.txt

===========================
Django 4.2.14 release notes
===========================

*July 9, 2024*

Django 4.2.14 fixes two security issues with severity "moderate" and two
security issues with severity "low" in 4.2.13.

CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via certain inputs with a very large number of
brackets.

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
================================================================================================

The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
allowed remote attackers to enumerate users via a timing attack involving login
requests for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
====================================================================

Derived classes of the :class:`~django.core.files.storage.Storage` base class
which override :meth:`generate_filename()
<django.core.files.storage.Storage.generate_filename()>` without replicating
the file path validations existing in the parent class, allowed for potential
directory-traversal via certain inputs when calling :meth:`save()
<django.core.files.storage.Storage.save()>`.

Built-in ``Storage`` sub-classes were not affected by this vulnerability.

CVE-2024-39614: Potential denial-of-service vulnerability in ``get_supported_language_variant()``
=================================================================================================

:meth:`~django.utils.translation.get_supported_language_variant` was subject to
a potential denial-of-service attack when used with very long strings
containing specific characters.

To mitigate this vulnerability, the language code provided to
:meth:`~django.utils.translation.get_supported_language_variant` is now parsed
up to a maximum length of 500 characters.

When the language code is over 500 characters, a :exc:`ValueError` will now be
raised if ``strict`` is ``True``, or if there is no generic variant and
``strict`` is ``False``.
Added stub release notes and release date for 5.0.7 and 4.2.14. 2024-07-03 17:09:34 +00:00			`===========================`
			`Django 4.2.14 release notes`
			`===========================`

			`July 9, 2024`

			`Django 4.2.14 fixes two security issues with severity "moderate" and two`
			`security issues with severity "low" in 4.2.13.`

Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2024-06-24 13:30:59 +00:00			CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
			`===========================================================================================`

			:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
			`denial-of-service attack via certain inputs with a very large number of`
			`brackets.`
Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review. 2024-06-15 02:12:58 +00:00
			`CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords`
			`================================================================================================`

			The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
			`allowed remote attackers to enumerate users via a timing attack involving login`
			`requests for users with unusable passwords.`
Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method. Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews. 2024-03-20 16:55:21 +00:00
			CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
			`====================================================================`

			Derived classes of the :class:`~django.core.files.storage.Storage` base class
			which override :meth:`generate_filename()
			<django.core.files.storage.Storage.generate_filename()>` without replicating
			`the file path validations existing in the parent class, allowed for potential`
			directory-traversal via certain inputs when calling :meth:`save()
			<django.core.files.storage.Storage.save()>`.

			Built-in ``Storage`` sub-classes were not affected by this vulnerability.
Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report. 2024-06-26 10:11:54 +00:00
			CVE-2024-39614: Potential denial-of-service vulnerability in ``get_supported_language_variant()``
			`=================================================================================================`

			:meth:`~django.utils.translation.get_supported_language_variant` was subject to
			`a potential denial-of-service attack when used with very long strings`
			`containing specific characters.`

			`To mitigate this vulnerability, the language code provided to`
			:meth:`~django.utils.translation.get_supported_language_variant` is now parsed
			`up to a maximum length of 500 characters.`

			When the language code is over 500 characters, a :exc:`ValueError` will now be
			raised if ``strict`` is ``True``, or if there is no generic variant and
			``strict`` is ``False``.