[5.0.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.

Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-10-31 09:41:08 +00:00 · 2025-01-06 15:51:45 -03:00
parent 5e63880cb8
commit e8d4a20059
8 changed files with 119 additions and 14 deletions
--- a/docs/ref/forms/fields.txt
+++ b/docs/ref/forms/fields.txt
@@ -774,7 +774,7 @@ For each field, we describe the default widget used if you don't specify
    * Empty value: ``''`` (an empty string)
    * Normalizes to: A string. IPv6 addresses are normalized as described below.
    * Validates that the given value is a valid IP address.
-    * Error message keys: ``required``, ``invalid``
+    * Error message keys: ``required``, ``invalid``, ``max_length``

    The IPv6 address normalization follows :rfc:`4291#section-2.2` section 2.2,
    including using the IPv4 format suggested in paragraph 3 of that section, like
@@ -782,7 +782,7 @@ For each field, we describe the default widget used if you don't specify
    ``2001::1``, and ``::ffff:0a0a:0a0a`` to ``::ffff:10.10.10.10``. All characters
    are converted to lowercase.

-    Takes two optional arguments:
+    Takes three optional arguments:

    .. attribute:: protocol

@@ -797,6 +797,15 @@ For each field, we describe the default widget used if you don't specify
        ``192.0.2.1``. Default is disabled. Can only be used
        when ``protocol`` is set to ``'both'``.

+    .. attribute:: max_length
+
+        Defaults to 39, and behaves the same way as it does for
+        :class:`CharField`.
+
+    .. versionchanged:: 4.2.18
+
+        The default value for ``max_length`` was set to 39 characters.
+
 ``ImageField``
 --------------

--- a/docs/releases/4.2.18.txt
+++ b/docs/releases/4.2.18.txt
@@ -5,3 +5,15 @@ Django 4.2.18 release notes
 *January 14, 2025*

 Django 4.2.18 fixes a security issue with severity "moderate" in 4.2.17.
+
+CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
+============================================================================
+
+Lack of upper bound limit enforcement in strings passed when performing IPv6
+validation could lead to a potential denial-of-service attack. The undocumented
+and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
+vulnerable, as was the  :class:`django.forms.GenericIPAddressField` form field,
+which has now been updated to define a ``max_length`` of 39 characters.
+
+The :class:`django.db.models.GenericIPAddressField` model field was not
+affected.
--- a/docs/releases/5.0.11.txt
+++ b/docs/releases/5.0.11.txt
@@ -5,3 +5,15 @@ Django 5.0.11 release notes
 *January 14, 2025*

 Django 5.0.11 fixes a security issue with severity "moderate" in 5.0.10.
+
+CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
+============================================================================
+
+Lack of upper bound limit enforcement in strings passed when performing IPv6
+validation could lead to a potential denial-of-service attack. The undocumented
+and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
+vulnerable, as was the  :class:`django.forms.GenericIPAddressField` form field,
+which has now been updated to define a ``max_length`` of 39 characters.
+
+The :class:`django.db.models.GenericIPAddressField` model field was not
+affected.