Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.

Thanks Alan Ryan for the report and initial patch.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-01-21 07:50:03 +0100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-02-01 07:41:40 +0100
commit: fc18f36c4ab94399366ca2f2007b3692559a6f23 (patch)
tree: 6a501fe6f132e9aa38199758c91d2b0956d4f424 /docs/releases/4.0.2.txt
parent: 394517f07886495efcf79f95c7ee402a9437bd68 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/docs/releases/4.0.2.txt b/docs/releases/4.0.2.txt
index d949d49dd6..05d235a4ff 100644
--- a/docs/releases/4.0.2.txt
+++ b/docs/releases/4.0.2.txt
@@ -18,6 +18,12 @@ In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
 information when the ``DEBUG`` setting is ``False``, and it ensures all context
 variables are correctly escaped when the ``DEBUG`` setting is ``True``.
 
+CVE-2022-23833: Denial-of-service possibility in file uploads
+=============================================================
+
+Passing certain inputs to multipart forms could result in an infinite loop when
+parsing files.
+
 Bugfixes
 ========
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-01-21 07:50:03 +0100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-02-01 07:41:40 +0100
commit	fc18f36c4ab94399366ca2f2007b3692559a6f23 (patch)
tree	6a501fe6f132e9aa38199758c91d2b0956d4f424 /docs/releases/4.0.2.txt
parent	394517f07886495efcf79f95c7ee402a9437bd68 (diff)