From 2cb311f7b069723027fb5def4044d1816d7d2afd Mon Sep 17 00:00:00 2001 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Date: Thu, 6 Mar 2025 15:24:56 +0100 Subject: [5.2.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows. Thank you sw0rd1ight for the report. Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main. --- docs/releases/5.0.14.txt | 10 ++++++++++ docs/releases/5.1.8.txt | 10 ++++++++++ 2 files changed, 20 insertions(+) (limited to 'docs') diff --git a/docs/releases/5.0.14.txt b/docs/releases/5.0.14.txt index 8684a270dc..230bfed652 100644 --- a/docs/releases/5.0.14.txt +++ b/docs/releases/5.0.14.txt @@ -5,3 +5,13 @@ Django 5.0.14 release notes *April 2, 2025* Django 5.0.14 fixes a security issue with severity "moderate" in 5.0.13. + +CVE-2025-27556: Potential denial-of-service vulnerability in ``LoginView``, ``LogoutView``, and ``set_language()`` on Windows +============================================================================================================================= + +Python's :func:`NFKC normalization ` is slow on +Windows. As a consequence, :class:`~django.contrib.auth.views.LoginView`, +:class:`~django.contrib.auth.views.LogoutView`, and +:func:`~django.views.i18n.set_language` were subject to a potential +denial-of-service attack via certain inputs with a very large number of Unicode +characters. diff --git a/docs/releases/5.1.8.txt b/docs/releases/5.1.8.txt index 2aa6686cb6..b3b0327b52 100644 --- a/docs/releases/5.1.8.txt +++ b/docs/releases/5.1.8.txt @@ -7,6 +7,16 @@ Django 5.1.8 release notes Django 5.1.8 fixes a security issue with severity "moderate" and several bugs in 5.1.7. +CVE-2025-27556: Potential denial-of-service vulnerability in ``LoginView``, ``LogoutView``, and ``set_language()`` on Windows +============================================================================================================================= + +Python's :func:`NFKC normalization ` is slow on +Windows. As a consequence, :class:`~django.contrib.auth.views.LoginView`, +:class:`~django.contrib.auth.views.LogoutView`, and +:func:`~django.views.i18n.set_language` were subject to a potential +denial-of-service attack via certain inputs with a very large number of Unicode +characters. + Bugfixes ======== -- cgit v1.3