summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorCarlton Gibson <carlton.gibson@noumenal.es>2019-02-11 11:15:45 +0100
committerCarlton Gibson <carlton.gibson@noumenal.es>2019-02-11 11:15:45 +0100
commit0bbb560183fabf0533289700845dafa94951f227 (patch)
tree0f8a1d5f93d967cec02416c1654fc8628b51dbb4 /docs
parent11cb39514dcb6de197ce22f8fa0cf011d53162e7 (diff)
[1.11.x] Fixed CVE-2019-6975 -- Fixed memory exhaustion in utils.numberformat.format().
Thanks Sjoerd Job Postmus for the report and initial patch. Thanks Michael Manfre, Tim Graham, and Florian Apolloner for review. Backport of 402c0caa851e265410fbcaa55318f22d2bf22ee2 from master.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.11.19.txt12
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/releases/1.11.19.txt b/docs/releases/1.11.19.txt
index cae22c4415..9ce48f26b2 100644
--- a/docs/releases/1.11.19.txt
+++ b/docs/releases/1.11.19.txt
@@ -5,3 +5,15 @@ Django 1.11.19 release notes
*February 11, 2019*
Django 1.11.19 fixes a security issue in 1.11.18.
+
+CVE-2019-6975: Memory exhaustion in ``django.utils.numberformat.format()``
+--------------------------------------------------------------------------
+
+If ``django.utils.numberformat.format()`` -- used by ``contrib.admin`` as well
+as the the ``floatformat``, ``filesizeformat``, and ``intcomma`` templates
+filters -- received a ``Decimal`` with a large number of digits or a large
+exponent, it could lead to significant memory usage due to a call to
+``'{:f}'.format()``.
+
+To avoid this, decimals with more than 200 digits are now formatted using
+scientific notation.