diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/5.2.14.txt | 14 | ||||
| -rw-r--r-- | docs/releases/6.0.5.txt | 14 |
2 files changed, 28 insertions, 0 deletions
diff --git a/docs/releases/5.2.14.txt b/docs/releases/5.2.14.txt index 681687efb1..0722e80a95 100644 --- a/docs/releases/5.2.14.txt +++ b/docs/releases/5.2.14.txt @@ -5,3 +5,17 @@ Django 5.2.14 release notes *May 5, 2026* Django 5.2.14 fixes three security issues with severity "low" in 5.2.13. + +CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass +====================================================================================================== + +ASGI requests with a missing or understated ``Content-Length`` header could +bypass the :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading +large files into memory and causing service degradation. + +As a reminder, Django :ref:`expects a limit to be configured +<user-uploaded-content-security>` at the web server level rather than solely +relying on :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. diff --git a/docs/releases/6.0.5.txt b/docs/releases/6.0.5.txt index 1e7e1b2c3b..8613b604fb 100644 --- a/docs/releases/6.0.5.txt +++ b/docs/releases/6.0.5.txt @@ -7,6 +7,20 @@ Django 6.0.5 release notes Django 6.0.5 fixes three security issues with severity "low" and several bugs in 6.0.4. +CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass +====================================================================================================== + +ASGI requests with a missing or understated ``Content-Length`` header could +bypass the :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading +large files into memory and causing service degradation. + +As a reminder, Django :ref:`expects a limit to be configured +<user-uploaded-content-security>` at the web server level rather than solely +relying on :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. + Bugfixes ======== |
