Refs CVE-2024-27351 -- Forwardported release notes and tests.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
author: Shai Berger <shai@platonix.com> 2024-02-19 13:56:37 +0100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2024-03-04 08:22:00 +0100
commit: f6ad8c7676f85dfde5a279b6b1469251421289e2 (patch)
tree: fab12a57619f5627f70093da3bfb84708984c6d6 /docs/releases/3.2.25.txt
parent: f5ed4306bbfd2e5543dd02cf5a22326a29253cdf (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt
index aa81c720d5..a3a90986ff 100644
--- a/docs/releases/3.2.25.txt
+++ b/docs/releases/3.2.25.txt
@@ -7,6 +7,14 @@ Django 3.2.25 release notes
 Django 3.2.25 fixes a security issue with severity "moderate" and a regression
 in 3.2.24.
 
+CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
+=========================================================================================================
+
+``django.utils.text.Truncator.words()`` method (with ``html=True``) and
+:tfilter:`truncatewords_html` template filter were subject to a potential
+regular expression denial-of-service attack using a suitably crafted string
+(follow up to :cve:`2019-14232` and :cve:`2023-43665`).
+
 Bugfixes
 ========
author	Shai Berger <shai@platonix.com>	2024-02-19 13:56:37 +0100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2024-03-04 08:22:00 +0100
commit	f6ad8c7676f85dfde5a279b6b1469251421289e2 (patch)
tree	fab12a57619f5627f70093da3bfb84708984c6d6 /docs/releases/3.2.25.txt
parent	f5ed4306bbfd2e5543dd02cf5a22326a29253cdf (diff)