[4.0.x] Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.

Thanks to Jakob Ackermann for the report.
author: Markus Holtermann <info@markusholtermann.eu> 2022-12-13 10:27:39 +0100
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2023-02-07 10:36:32 +0100
commit: 83f1ea83e4553e211c1c5a0dfc197b66d4e50432 (patch)
tree: b6d1c0c5b7dc19b61d8af4c192f9b6e7b99b0a38 /docs/releases/4.0.10.txt
parent: e5aecded4de78b8ce2048490fc9b12258e8b7623 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/docs/releases/4.0.10.txt b/docs/releases/4.0.10.txt
index b01f8c5b1b..4d076ab40e 100644
--- a/docs/releases/4.0.10.txt
+++ b/docs/releases/4.0.10.txt
@@ -6,4 +6,12 @@ Django 4.0.10 release notes
 
 Django 4.0.10 fixes a security issue with severity "moderate" in 4.0.9.
 
-...
+CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
+=========================================================================
+
+Passing certain inputs to multipart forms could result in too many open files
+or memory exhaustion, and provided a potential vector for a denial-of-service
+attack.
+
+The number of files parts parsed is now limited via the new
+:setting:`DATA_UPLOAD_MAX_NUMBER_FILES` setting.
author	Markus Holtermann <info@markusholtermann.eu>	2022-12-13 10:27:39 +0100
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2023-02-07 10:36:32 +0100
commit	83f1ea83e4553e211c1c5a0dfc197b66d4e50432 (patch)
tree	b6d1c0c5b7dc19b61d8af4c192f9b6e7b99b0a38 /docs/releases/4.0.10.txt
parent	e5aecded4de78b8ce2048490fc9b12258e8b7623 (diff)