[3.2.x] Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.

Thanks to Jakob Ackermann for the report.
author: Markus Holtermann <info@markusholtermann.eu> 2022-12-13 10:27:39 +0100
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2023-02-07 10:39:25 +0100
commit: a665ed5179f5bbd3db95ce67286d0192eff041d8 (patch)
tree: 5c5873c622efac4be67e05a3db7723034b627a78 /docs/releases/3.2.18.txt
parent: 932b5bd52d8d7e9255264fdbf425e322efac0b97 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/docs/releases/3.2.18.txt b/docs/releases/3.2.18.txt
index 431d04c989..46c0feb51e 100644
--- a/docs/releases/3.2.18.txt
+++ b/docs/releases/3.2.18.txt
@@ -6,4 +6,12 @@ Django 3.2.18 release notes
 
 Django 3.2.18 fixes a security issue with severity "moderate" in 3.2.17.
 
-...
+CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
+=========================================================================
+
+Passing certain inputs to multipart forms could result in too many open files
+or memory exhaustion, and provided a potential vector for a denial-of-service
+attack.
+
+The number of files parts parsed is now limited via the new
+:setting:`DATA_UPLOAD_MAX_NUMBER_FILES` setting.
author	Markus Holtermann <info@markusholtermann.eu>	2022-12-13 10:27:39 +0100
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2023-02-07 10:39:25 +0100
commit	a665ed5179f5bbd3db95ce67286d0192eff041d8 (patch)
tree	5c5873c622efac4be67e05a3db7723034b627a78 /docs/releases/3.2.18.txt
parent	932b5bd52d8d7e9255264fdbf425e322efac0b97 (diff)