mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-03 10:34:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixed CVE-2019-6975 -- Fixed memory exhaustion in utils.numberformat.format().

Browse source 
Thanks Sjoerd Job Postmus for the report and initial patch.
Thanks Michael Manfre, Tim Graham, and Florian Apolloner for review.
This commit is contained in:
Carlton Gibson 2019-02-11 11:08:45 +01:00
parent c901a1775b
commit 402c0caa85
5 changed files with 69 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

12
docs/releases/1.11.19.txt
View file

@ -5,3 +5,15 @@ Django 1.11.19 release notes
*February 11, 2019*
Django 1.11.19 fixes a security issue in 1.11.18.
CVE-2019-6975: Memory exhaustion in ``django.utils.numberformat.format()``
--------------------------------------------------------------------------
If ``django.utils.numberformat.format()`` -- used by ``contrib.admin`` as well
as the the ``floatformat``, ``filesizeformat``, and ``intcomma`` templates
filters -- received a ``Decimal`` with a large number of digits or a large
exponent, it could lead to significant memory usage due to a call to
``'{:f}'.format()``.
To avoid this, decimals with more than 200 digits are now formatted using
scientific notation.

12
docs/releases/2.0.11.txt
View file

@ -5,3 +5,15 @@ Django 2.0.11 release notes
*February 11, 2019*
Django 2.0.11 fixes a security issue in 2.0.10.
CVE-2019-6975: Memory exhaustion in ``django.utils.numberformat.format()``
--------------------------------------------------------------------------
If ``django.utils.numberformat.format()`` -- used by ``contrib.admin`` as well
as the the ``floatformat``, ``filesizeformat``, and ``intcomma`` templates
filters -- received a ``Decimal`` with a large number of digits or a large
exponent, it could lead to significant memory usage due to a call to
``'{:f}'.format()``.
To avoid this, decimals with more than 200 digits are now formatted using
scientific notation.

12
docs/releases/2.1.6.txt
View file

@ -6,6 +6,18 @@ Django 2.1.6 release notes
Django 2.1.6 fixes a security issue and a bug in 2.1.5.
CVE-2019-6975: Memory exhaustion in ``django.utils.numberformat.format()``
--------------------------------------------------------------------------
If ``django.utils.numberformat.format()`` -- used by ``contrib.admin`` as well
as the the ``floatformat``, ``filesizeformat``, and ``intcomma`` templates
filters -- received a ``Decimal`` with a large number of digits or a large
exponent, it could lead to significant memory usage due to a call to
``'{:f}'.format()``.
To avoid this, decimals with more than 200 digits are now formatted using
scientific notation.
Bugfixes
========