diff options
| author | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-02-11 11:08:45 +0100 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-02-11 11:10:38 +0100 |
| commit | 83ab3e26647f6a50cdfac01ecf735cad540b2f35 (patch) | |
| tree | 3353ac9f575fff93ea97d1b05a3e22b8ae86bbcd /docs | |
| parent | b89d31d2dcb3d5566bc8f16dd058223153585899 (diff) | |
[2.2.x] Fixed CVE-2019-6975 -- Fixed memory exhaustion in utils.numberformat.format().
Thanks Sjoerd Job Postmus for the report and initial patch.
Thanks Michael Manfre, Tim Graham, and Florian Apolloner for review.
Backport of 402c0caa851e265410fbcaa55318f22d2bf22ee2 from master
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.11.19.txt | 12 | ||||
| -rw-r--r-- | docs/releases/2.0.11.txt | 12 | ||||
| -rw-r--r-- | docs/releases/2.1.6.txt | 12 |
3 files changed, 36 insertions, 0 deletions
diff --git a/docs/releases/1.11.19.txt b/docs/releases/1.11.19.txt index cae22c4415..9ce48f26b2 100644 --- a/docs/releases/1.11.19.txt +++ b/docs/releases/1.11.19.txt @@ -5,3 +5,15 @@ Django 1.11.19 release notes *February 11, 2019* Django 1.11.19 fixes a security issue in 1.11.18. + +CVE-2019-6975: Memory exhaustion in ``django.utils.numberformat.format()`` +-------------------------------------------------------------------------- + +If ``django.utils.numberformat.format()`` -- used by ``contrib.admin`` as well +as the the ``floatformat``, ``filesizeformat``, and ``intcomma`` templates +filters -- received a ``Decimal`` with a large number of digits or a large +exponent, it could lead to significant memory usage due to a call to +``'{:f}'.format()``. + +To avoid this, decimals with more than 200 digits are now formatted using +scientific notation. diff --git a/docs/releases/2.0.11.txt b/docs/releases/2.0.11.txt index 969af23ecf..f6c4368baa 100644 --- a/docs/releases/2.0.11.txt +++ b/docs/releases/2.0.11.txt @@ -5,3 +5,15 @@ Django 2.0.11 release notes *February 11, 2019* Django 2.0.11 fixes a security issue in 2.0.10. + +CVE-2019-6975: Memory exhaustion in ``django.utils.numberformat.format()`` +-------------------------------------------------------------------------- + +If ``django.utils.numberformat.format()`` -- used by ``contrib.admin`` as well +as the the ``floatformat``, ``filesizeformat``, and ``intcomma`` templates +filters -- received a ``Decimal`` with a large number of digits or a large +exponent, it could lead to significant memory usage due to a call to +``'{:f}'.format()``. + +To avoid this, decimals with more than 200 digits are now formatted using +scientific notation. diff --git a/docs/releases/2.1.6.txt b/docs/releases/2.1.6.txt index f6c589848a..fea8209115 100644 --- a/docs/releases/2.1.6.txt +++ b/docs/releases/2.1.6.txt @@ -6,6 +6,18 @@ Django 2.1.6 release notes Django 2.1.6 fixes a security issue and a bug in 2.1.5. +CVE-2019-6975: Memory exhaustion in ``django.utils.numberformat.format()`` +-------------------------------------------------------------------------- + +If ``django.utils.numberformat.format()`` -- used by ``contrib.admin`` as well +as the the ``floatformat``, ``filesizeformat``, and ``intcomma`` templates +filters -- received a ``Decimal`` with a large number of digits or a large +exponent, it could lead to significant memory usage due to a call to +``'{:f}'.format()``. + +To avoid this, decimals with more than 200 digits are now formatted using +scientific notation. + Bugfixes ======== |