summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2025-03-06 15:24:56 +0100
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2025-04-02 10:23:46 +0200
commit2cb311f7b069723027fb5def4044d1816d7d2afd (patch)
tree0b98eb2a2c3b0d3a0da7b566f88bce9924bc851a /docs
parentc68f3516be266cbc3929e51e32ed63d304ac5cc6 (diff)
[5.2.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.
Thank you sw0rd1ight for the report. Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/5.0.14.txt10
-rw-r--r--docs/releases/5.1.8.txt10
2 files changed, 20 insertions, 0 deletions
diff --git a/docs/releases/5.0.14.txt b/docs/releases/5.0.14.txt
index 8684a270dc..230bfed652 100644
--- a/docs/releases/5.0.14.txt
+++ b/docs/releases/5.0.14.txt
@@ -5,3 +5,13 @@ Django 5.0.14 release notes
*April 2, 2025*
Django 5.0.14 fixes a security issue with severity "moderate" in 5.0.13.
+
+CVE-2025-27556: Potential denial-of-service vulnerability in ``LoginView``, ``LogoutView``, and ``set_language()`` on Windows
+=============================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.contrib.auth.views.LoginView`,
+:class:`~django.contrib.auth.views.LogoutView`, and
+:func:`~django.views.i18n.set_language` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters.
diff --git a/docs/releases/5.1.8.txt b/docs/releases/5.1.8.txt
index 2aa6686cb6..b3b0327b52 100644
--- a/docs/releases/5.1.8.txt
+++ b/docs/releases/5.1.8.txt
@@ -7,6 +7,16 @@ Django 5.1.8 release notes
Django 5.1.8 fixes a security issue with severity "moderate" and several bugs
in 5.1.7.
+CVE-2025-27556: Potential denial-of-service vulnerability in ``LoginView``, ``LogoutView``, and ``set_language()`` on Windows
+=============================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.contrib.auth.views.LoginView`,
+:class:`~django.contrib.auth.views.LogoutView`, and
+:func:`~django.views.i18n.set_language` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters.
+
Bugfixes
========