diff options
| author | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-02-11 11:15:45 +0100 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-02-11 11:15:45 +0100 |
| commit | 0bbb560183fabf0533289700845dafa94951f227 (patch) | |
| tree | 0f8a1d5f93d967cec02416c1654fc8628b51dbb4 /docs | |
| parent | 11cb39514dcb6de197ce22f8fa0cf011d53162e7 (diff) | |
[1.11.x] Fixed CVE-2019-6975 -- Fixed memory exhaustion in utils.numberformat.format().
Thanks Sjoerd Job Postmus for the report and initial patch.
Thanks Michael Manfre, Tim Graham, and Florian Apolloner for review.
Backport of 402c0caa851e265410fbcaa55318f22d2bf22ee2 from master.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.11.19.txt | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/releases/1.11.19.txt b/docs/releases/1.11.19.txt index cae22c4415..9ce48f26b2 100644 --- a/docs/releases/1.11.19.txt +++ b/docs/releases/1.11.19.txt @@ -5,3 +5,15 @@ Django 1.11.19 release notes *February 11, 2019* Django 1.11.19 fixes a security issue in 1.11.18. + +CVE-2019-6975: Memory exhaustion in ``django.utils.numberformat.format()`` +-------------------------------------------------------------------------- + +If ``django.utils.numberformat.format()`` -- used by ``contrib.admin`` as well +as the the ``floatformat``, ``filesizeformat``, and ``intcomma`` templates +filters -- received a ``Decimal`` with a large number of digits or a large +exponent, it could lead to significant memory usage due to a call to +``'{:f}'.format()``. + +To avoid this, decimals with more than 200 digits are now formatted using +scientific notation. |
