summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-07-12 11:38:34 +0200
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-08-06 08:51:22 +0200
commit0504af64292071e1a9565193ea8265c60600f7d7 (patch)
tree3ad63a19b075dfeb11cb2e540cceb436dd42902b /docs
parent2ba4f4b0b550a98f10deac47c1bbddccbc7365cd (diff)
[5.1.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat.
Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com>
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/4.2.15.txt9
-rw-r--r--docs/releases/5.0.8.txt9
2 files changed, 18 insertions, 0 deletions
diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt
index d312f8580f..f3fdb0a3cf 100644
--- a/docs/releases/4.2.15.txt
+++ b/docs/releases/4.2.15.txt
@@ -7,6 +7,15 @@ Django 4.2.15 release notes
Django 4.2.15 fixes three security issues with severity "moderate", one
security issue with severity "high", and a regression in 4.2.14.
+CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
+================================================================================
+
+If :tfilter:`floatformat` received a string representation of a number in
+scientific notation with a large exponent, it could lead to significant memory
+consumption.
+
+To avoid this, decimals with more than 200 digits are now returned as is.
+
Bugfixes
========
diff --git a/docs/releases/5.0.8.txt b/docs/releases/5.0.8.txt
index 704ecf2c61..c371e4af0b 100644
--- a/docs/releases/5.0.8.txt
+++ b/docs/releases/5.0.8.txt
@@ -7,6 +7,15 @@ Django 5.0.8 release notes
Django 5.0.8 fixes three security issues with severity "moderate", one security
issue with severity "high", and several bugs in 5.0.7.
+CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
+================================================================================
+
+If :tfilter:`floatformat` received a string representation of a number in
+scientific notation with a large exponent, it could lead to significant memory
+consumption.
+
+To avoid this, decimals with more than 200 digits are now returned as is.
+
Bugfixes
========