django/docs/releases/4.2.11.txt

===========================
Django 4.2.11 release notes
===========================

*March 4, 2024*

Django 4.2.11 fixes a security issue with severity "moderate" and a regression
in 4.2.10.

CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
=========================================================================================================

``django.utils.text.Truncator.words()`` method (with ``html=True``) and
:tfilter:`truncatewords_html` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to :cve:`2019-14232` and :cve:`2023-43665`).

Bugfixes
========

* Fixed a regression in Django 4.2.10 where ``intcomma`` template filter could
  return a leading comma for string representation of floats (:ticket:`35172`).
Fixed #35172 -- Fixed intcomma for string floats. Thanks Warwick Brown for the report. Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9. 2024-02-08 09:58:54 +00:00			`===========================`
			`Django 4.2.11 release notes`
			`===========================`

Added release date for 5.0.3, 4.2.11, and 3.2.25. 2024-02-26 07:21:36 +00:00			`March 4, 2024`
Fixed #35172 -- Fixed intcomma for string floats. Thanks Warwick Brown for the report. Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9. 2024-02-08 09:58:54 +00:00
Added release date for 5.0.3, 4.2.11, and 3.2.25. 2024-02-26 07:21:36 +00:00			`Django 4.2.11 fixes a security issue with severity "moderate" and a regression`
			`in 4.2.10.`
Fixed #35172 -- Fixed intcomma for string floats. Thanks Warwick Brown for the report. Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9. 2024-02-08 09:58:54 +00:00
Refs CVE-2024-27351 -- Forwardported release notes and tests. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2024-02-19 12:56:37 +00:00			CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
			`=========================================================================================================`

			``django.utils.text.Truncator.words()`` method (with ``html=True``) and
			:tfilter:`truncatewords_html` template filter were subject to a potential
			`regular expression denial-of-service attack using a suitably crafted string`
			(follow up to :cve:`2019-14232` and :cve:`2023-43665`).

Fixed #35172 -- Fixed intcomma for string floats. Thanks Warwick Brown for the report. Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9. 2024-02-08 09:58:54 +00:00			`Bugfixes`
			`========`

			* Fixed a regression in Django 4.2.10 where ``intcomma`` template filter could
			return a leading comma for string representation of floats (:ticket:`35172`).