diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-07-12 11:38:34 +0200 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-07-31 16:11:59 +0200 |
| commit | fc76660f589ac07e45e9cd34ccb8087aeb11904b (patch) | |
| tree | 2bcde8a31c4ecdda7dcd2e33609f4c1d9a5ef6a1 /docs | |
| parent | 7b1a76f899f7a7acb7d70b433cb0064c2184186b (diff) | |
[4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat.
Thanks Elias Myllymäki for the report.
Co-authored-by: Shai Berger <shai@platonix.com>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/4.2.15.txt | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt index d312f8580f..f3fdb0a3cf 100644 --- a/docs/releases/4.2.15.txt +++ b/docs/releases/4.2.15.txt @@ -7,6 +7,15 @@ Django 4.2.15 release notes Django 4.2.15 fixes three security issues with severity "moderate", one security issue with severity "high", and a regression in 4.2.14. +CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()`` +================================================================================ + +If :tfilter:`floatformat` received a string representation of a number in +scientific notation with a large exponent, it could lead to significant memory +consumption. + +To avoid this, decimals with more than 200 digits are now returned as is. + Bugfixes ======== |
