diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-07-12 11:38:34 +0200 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-08-06 08:51:22 +0200 |
| commit | 0504af64292071e1a9565193ea8265c60600f7d7 (patch) | |
| tree | 3ad63a19b075dfeb11cb2e540cceb436dd42902b /docs | |
| parent | 2ba4f4b0b550a98f10deac47c1bbddccbc7365cd (diff) | |
[5.1.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat.
Thanks Elias Myllymäki for the report.
Co-authored-by: Shai Berger <shai@platonix.com>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/4.2.15.txt | 9 | ||||
| -rw-r--r-- | docs/releases/5.0.8.txt | 9 |
2 files changed, 18 insertions, 0 deletions
diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt index d312f8580f..f3fdb0a3cf 100644 --- a/docs/releases/4.2.15.txt +++ b/docs/releases/4.2.15.txt @@ -7,6 +7,15 @@ Django 4.2.15 release notes Django 4.2.15 fixes three security issues with severity "moderate", one security issue with severity "high", and a regression in 4.2.14. +CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()`` +================================================================================ + +If :tfilter:`floatformat` received a string representation of a number in +scientific notation with a large exponent, it could lead to significant memory +consumption. + +To avoid this, decimals with more than 200 digits are now returned as is. + Bugfixes ======== diff --git a/docs/releases/5.0.8.txt b/docs/releases/5.0.8.txt index 704ecf2c61..c371e4af0b 100644 --- a/docs/releases/5.0.8.txt +++ b/docs/releases/5.0.8.txt @@ -7,6 +7,15 @@ Django 5.0.8 release notes Django 5.0.8 fixes three security issues with severity "moderate", one security issue with severity "high", and several bugs in 5.0.7. +CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()`` +================================================================================ + +If :tfilter:`floatformat` received a string representation of a number in +scientific notation with a large exponent, it could lead to significant memory +consumption. + +To avoid this, decimals with more than 200 digits are now returned as is. + Bugfixes ======== |
