mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 01:25:32 +00:00
Code Issues 32 Releases Wiki Activity
Files
c2057205d9f30247e9d512d42114f27d0a93a96e
django/docs/releases/2.0.3.txt
Tim Graham 97b7dd59bb Fixed CVE-2018-7537 -- Fixed catastrophic backtracking in django.utils.text.Truncator. 
Thanks James Davis for suggesting the fix.
2018-03-06 08:30:40 -05:00

57 lines
2.3 KiB
Plaintext
Raw Blame History

==========================
Django 2.0.3 release notes
==========================
*March 6, 2018*
Django 2.0.3 fixes two security issues and several bugs in 2.0.2. Also, the
latest string translations from Transifex are incorporated.
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
===============================================================================================
The ``django.utils.html.urlize()`` function was extremely slow to evaluate
certain inputs due to catastrophic backtracking vulnerabilities in two regular
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
``urlizetrunc`` template filters, which were thus vulnerable.
The problematic regular expressions are replaced with parsing logic that
behaves similarly.
CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters
==================================================================================================================
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were
passed the ``html=True`` argument, they were extremely slow to evaluate certain
inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to implement the
``truncatechars_html`` and ``truncatewords_html`` template filters, which were
thus vulnerable.
The backtracking problem in the regular expression is fixed.
Bugfixes
========
* Fixed a regression that caused sliced ``QuerySet.distinct().order_by()``
followed by ``count()`` to crash (:ticket:`29108`).
* Prioritized the datetime and time input formats without ``%f`` for the Thai
locale to fix the admin time picker widget displaying "undefined"
(:ticket:`29109`).
* Fixed crash with ``QuerySet.order_by(Exists(...))`` (:ticket:`29118`).
* Made ``Q.deconstruct()`` deterministic with multiple keyword arguments
(:ticket:`29125`). You may need to modify ``Q``'s in existing migrations, or
accept an autogenerated migration.
* Fixed a regression where a ``When()`` expression with a list argument crashes
(:ticket:`29166`).
* Fixed crash when using a ``Window()`` expression in a subquery
(:ticket:`29172`).
* Fixed ``AbstractBaseUser.normalize_username()`` crash if the ``username``
argument isn't a string (:ticket:`29176`).
Reference in New Issue View Git Blame Copy Permalink