2024-08-27 12:20:59 +00:00
|
|
|
===========================
|
|
|
|
Django 4.2.16 release notes
|
|
|
|
===========================
|
|
|
|
|
|
|
|
*September 3, 2024*
|
|
|
|
|
|
|
|
Django 4.2.16 fixes one security issue with severity "moderate" and one
|
2024-08-27 12:46:12 +00:00
|
|
|
security issue with severity "low" in 4.2.15.
|
2024-08-27 12:20:59 +00:00
|
|
|
|
2024-08-12 13:17:57 +00:00
|
|
|
CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
|
|
|
|
===========================================================================================
|
|
|
|
|
|
|
|
:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
|
|
|
|
denial-of-service attack via very large inputs with a specific sequence of
|
|
|
|
characters.
|
2024-08-19 17:47:38 +00:00
|
|
|
|
|
|
|
CVE-2024-45231: Potential user email enumeration via response status on password reset
|
|
|
|
======================================================================================
|
|
|
|
|
|
|
|
Due to unhandled email sending failures, the
|
|
|
|
:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
|
|
|
|
attackers to enumerate user emails by issuing password reset requests and
|
|
|
|
observing the outcomes.
|
|
|
|
|
|
|
|
To mitigate this risk, exceptions occurring during password reset email sending
|
|
|
|
are now handled and logged using the :ref:`django-contrib-auth-logger` logger.
|