mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-03-10 17:32:41 +00:00
Code Issues 32 Releases Wiki Activity
django/docs/releases/5.0.7.txt
Michael Manfre 07cefdee4a [5.0.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords. 
Refs #20760.

Thanks Michael Manfre for the fix and to Adam Johnson for the review.
2024-07-09 10:03:20 -03:00

31 lines
1.2 KiB
Plaintext
Raw Blame History

==========================
Django 5.0.7 release notes
==========================
*July 9, 2024*
Django 5.0.7 fixes two security issues with severity "moderate", two security
issues with severity "low", and several bugs in 5.0.6.
CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================
:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via certain inputs with a very large number of
brackets.
CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
================================================================================================
The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
allowed remote attackers to enumerate users via a timing attack involving login
requests for users with unusable passwords.
Bugfixes
========
* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
unsaved model instances with a ``GeneratedField`` and certain defined
:attr:`Meta.constraints <django.db.models.Options.constraints>`
(:ticket:`35560`).
Reference in New Issue View Git Blame Copy Permalink