diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-04-08 16:30:17 +0200 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2025-05-06 22:21:42 -0300 |
| commit | 9f3419b519799d69f2aba70b9d25abe2e70d03e0 (patch) | |
| tree | 79d3c37e81798ca4e419f2df6f1325b7ae51cffb /docs/releases | |
| parent | f7d97dd11819be8996798a7197c5695a317334a0 (diff) | |
Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/4.2.21.txt | 11 | ||||
| -rw-r--r-- | docs/releases/5.1.9.txt | 11 | ||||
| -rw-r--r-- | docs/releases/5.2.1.txt | 11 |
3 files changed, 33 insertions, 0 deletions
diff --git a/docs/releases/4.2.21.txt b/docs/releases/4.2.21.txt index 306269a3e7..cc39105a01 100644 --- a/docs/releases/4.2.21.txt +++ b/docs/releases/4.2.21.txt @@ -7,6 +7,17 @@ Django 4.2.21 release notes Django 4.2.21 fixes a security issue with severity "moderate", a data loss bug, and a regression in 4.2.20. +CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` +================================================================= + +:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs +containing large sequences of incomplete HTML tags. This function is used to +implement the :tfilter:`striptags` template filter, which was thus also +vulnerable. + +:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` +exception if it encounters an unusually large number of unclosed opening tags. + Bugfixes ======== diff --git a/docs/releases/5.1.9.txt b/docs/releases/5.1.9.txt index dec03a6964..f238ac1f7e 100644 --- a/docs/releases/5.1.9.txt +++ b/docs/releases/5.1.9.txt @@ -7,6 +7,17 @@ Django 5.1.9 release notes Django 5.1.9 fixes a security issue with severity "moderate", a data loss bug, and a regression in 5.1.8. +CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` +================================================================= + +:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs +containing large sequences of incomplete HTML tags. This function is used to +implement the :tfilter:`striptags` template filter, which was thus also +vulnerable. + +:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` +exception if it encounters an unusually large number of unclosed opening tags. + Bugfixes ======== diff --git a/docs/releases/5.2.1.txt b/docs/releases/5.2.1.txt index 1f696a7551..0d7b40bf42 100644 --- a/docs/releases/5.2.1.txt +++ b/docs/releases/5.2.1.txt @@ -7,6 +7,17 @@ Django 5.2.1 release notes Django 5.2.1 fixes a security issue with severity "moderate" and several bugs in 5.2. +CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` +================================================================= + +:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs +containing large sequences of incomplete HTML tags. This function is used to +implement the :tfilter:`striptags` template filter, which was thus also +vulnerable. + +:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` +exception if it encounters an unusually large number of unclosed opening tags. + Bugfixes ======== |