From fc76660f589ac07e45e9cd34ccb8087aeb11904b Mon Sep 17 00:00:00 2001 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Date: Fri, 12 Jul 2024 11:38:34 +0200 Subject: [4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger --- docs/releases/4.2.15.txt | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'docs') diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt index d312f8580f..f3fdb0a3cf 100644 --- a/docs/releases/4.2.15.txt +++ b/docs/releases/4.2.15.txt @@ -7,6 +7,15 @@ Django 4.2.15 release notes Django 4.2.15 fixes three security issues with severity "moderate", one security issue with severity "high", and a regression in 4.2.14. +CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()`` +================================================================================ + +If :tfilter:`floatformat` received a string representation of a number in +scientific notation with a large exponent, it could lead to significant memory +consumption. + +To avoid this, decimals with more than 200 digits are now returned as is. + Bugfixes ======== -- cgit v1.3