mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-03-13 02:40:47 +00:00
Code Issues 32 Releases Wiki Activity
django/docs/releases/4.2.15.txt
Sarah Boyce 0c1a890916 [5.1.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters. 
Thanks to MProgrammer for the report.
2024-08-06 08:51:22 +02:00

32 lines
1.1 KiB
Plaintext
Raw Blame History

===========================
Django 4.2.15 release notes
===========================
*August 6, 2024*
Django 4.2.15 fixes three security issues with severity "moderate", one
security issue with severity "high", and a regression in 4.2.14.
CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
================================================================================
If :tfilter:`floatformat` received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.
To avoid this, decimals with more than 200 digits are now returned as is.
CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================
:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
Bugfixes
========
* Fixed a regression in Django 4.2.14 that caused a crash in
``LocaleMiddleware`` when processing a language code over 500 characters
(:ticket:`35627`).
Reference in New Issue View Git Blame Copy Permalink