[5.0.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().

Thanks Seokchan Yoon for the report. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
author: Shai Berger <shai@platonix.com> 2024-02-19 13:56:37 +0100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2024-03-04 08:22:40 +0100
commit: 3394fc6132436eca89e997083bae9985fb7e761e (patch)
tree: 55e9e0e4fc0d62c5064841a4bbe78aaf1d8bb590 /docs/releases/3.2.25.txt
parent: 80761c3b01fbbbe2da1761937edd20251a86fbee (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt
index aa81c720d5..a3a90986ff 100644
--- a/docs/releases/3.2.25.txt
+++ b/docs/releases/3.2.25.txt
@@ -7,6 +7,14 @@ Django 3.2.25 release notes
 Django 3.2.25 fixes a security issue with severity "moderate" and a regression
 in 3.2.24.
 
+CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
+=========================================================================================================
+
+``django.utils.text.Truncator.words()`` method (with ``html=True``) and
+:tfilter:`truncatewords_html` template filter were subject to a potential
+regular expression denial-of-service attack using a suitably crafted string
+(follow up to :cve:`2019-14232` and :cve:`2023-43665`).
+
 Bugfixes
 ========
author	Shai Berger <shai@platonix.com>	2024-02-19 13:56:37 +0100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2024-03-04 08:22:40 +0100
commit	3394fc6132436eca89e997083bae9985fb7e761e (patch)
tree	55e9e0e4fc0d62c5064841a4bbe78aaf1d8bb590 /docs/releases/3.2.25.txt
parent	80761c3b01fbbbe2da1761937edd20251a86fbee (diff)