summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-07-12 11:38:34 +0200
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-07-31 16:11:59 +0200
commitfc76660f589ac07e45e9cd34ccb8087aeb11904b (patch)
tree2bcde8a31c4ecdda7dcd2e33609f4c1d9a5ef6a1 /docs
parent7b1a76f899f7a7acb7d70b433cb0064c2184186b (diff)
[4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat.
Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com>
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/4.2.15.txt9
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt
index d312f8580f..f3fdb0a3cf 100644
--- a/docs/releases/4.2.15.txt
+++ b/docs/releases/4.2.15.txt
@@ -7,6 +7,15 @@ Django 4.2.15 release notes
Django 4.2.15 fixes three security issues with severity "moderate", one
security issue with severity "high", and a regression in 4.2.14.
+CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
+================================================================================
+
+If :tfilter:`floatformat` received a string representation of a number in
+scientific notation with a large exponent, it could lead to significant memory
+consumption.
+
+To avoid this, decimals with more than 200 digits are now returned as is.
+
Bugfixes
========