Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 11 Feb 2019 12:05:50 +0100
From: Carlton Gibson <carlton.gibson@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2019-6975 -- Django fixed memory exhaustion in
 utils.numberformat.format().

In accordance with our security release policy, the Django team is issuing Django 1.11.19, Django 2.1.6, and Django 2.0.11. These releases addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()

If django.utils.numberformat.format() -- used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters -- received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().

To avoid this, decimals with more than 200 digits are now formatted using scientific notation.

See Django blog for more details and download links: 
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/ <https://www.djangoproject.com/weblog/2019/feb/11/security-releases/>


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.