mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-30 17:16:10 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.

Browse Source 
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
Felisiak for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
This commit is contained in:
Michael Manfre
2024-12-11 21:39:32 -05:00
committed by Natalia
parent 9a2dd9789a
commit ca2be7724e
9 changed files with 131 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
docs/releases/4.2.18.txt
View File

@@ -5,3 +5,15 @@ Django 4.2.18 release notes
*January 14, 2025*
Django 4.2.18 fixes a security issue with severity "moderate" in 4.2.17.
CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
============================================================================
Lack of upper bound limit enforcement in strings passed when performing IPv6
validation could lead to a potential denial-of-service attack. The undocumented
and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field,
which has now been updated to define a ``max_length`` of 39 characters.
The :class:`django.db.models.GenericIPAddressField` model field was not
affected.

12
docs/releases/5.0.11.txt
View File

@@ -5,3 +5,15 @@ Django 5.0.11 release notes
*January 14, 2025*
Django 5.0.11 fixes a security issue with severity "moderate" in 5.0.10.
CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
============================================================================
Lack of upper bound limit enforcement in strings passed when performing IPv6
validation could lead to a potential denial-of-service attack. The undocumented
and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field,
which has now been updated to define a ``max_length`` of 39 characters.
The :class:`django.db.models.GenericIPAddressField` model field was not
affected.

12
docs/releases/5.1.5.txt
View File

@@ -7,6 +7,18 @@ Django 5.1.5 release notes
Django 5.1.5 fixes a security issue with severity "moderate" and one bug in
5.1.4.
CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
============================================================================
Lack of upper bound limit enforcement in strings passed when performing IPv6
validation could lead to a potential denial-of-service attack. The undocumented
and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field,
which has now been updated to define a ``max_length`` of 39 characters.
The :class:`django.db.models.GenericIPAddressField` model field was not
affected.
Bugfixes
========