mirror of
https://github.com/django/django.git
synced 2024-12-23 01:25:58 +00:00
5d86458579
Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review.
23 lines
959 B
Plaintext
23 lines
959 B
Plaintext
===========================
|
|
Django 4.2.14 release notes
|
|
===========================
|
|
|
|
*July 9, 2024*
|
|
|
|
Django 4.2.14 fixes two security issues with severity "moderate" and two
|
|
security issues with severity "low" in 4.2.13.
|
|
|
|
CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
|
|
===========================================================================================
|
|
|
|
:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
|
|
denial-of-service attack via certain inputs with a very large number of
|
|
brackets.
|
|
|
|
CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
|
|
================================================================================================
|
|
|
|
The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
|
|
allowed remote attackers to enumerate users via a timing attack involving login
|
|
requests for users with unusable passwords.
|