summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/4.2.26.txt10
-rw-r--r--docs/releases/5.1.14.txt10
-rw-r--r--docs/releases/5.2.8.txt10
3 files changed, 28 insertions, 2 deletions
diff --git a/docs/releases/4.2.26.txt b/docs/releases/4.2.26.txt
index e0db257c04..ae274c3361 100644
--- a/docs/releases/4.2.26.txt
+++ b/docs/releases/4.2.26.txt
@@ -7,4 +7,12 @@ Django 4.2.26 release notes
Django 4.2.26 fixes one security issue with severity "high" and one security
issue with severity "moderate" in 4.2.25.
-...
+CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
diff --git a/docs/releases/5.1.14.txt b/docs/releases/5.1.14.txt
index 79a7a260e3..8dba96e487 100644
--- a/docs/releases/5.1.14.txt
+++ b/docs/releases/5.1.14.txt
@@ -7,4 +7,12 @@ Django 5.1.14 release notes
Django 5.1.14 fixes one security issue with severity "high" and one security
issue with severity "moderate" in 5.1.13.
-...
+CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
diff --git a/docs/releases/5.2.8.txt b/docs/releases/5.2.8.txt
index 62cb32f55c..947fce8d84 100644
--- a/docs/releases/5.2.8.txt
+++ b/docs/releases/5.2.8.txt
@@ -8,6 +8,16 @@ Django 5.2.8 fixes one security issue with severity "high", one security issue
with severity "moderate", and several bugs in 5.2.7. It also adds compatibility
with Python 3.14.
+CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
+
Bugfixes
========