[Python-modules-team] Bug#922027: python-django: Django security release
Herbert Fortes
terberh at gmail.com
Mon Feb 11 12:15:54 GMT 2019
Package: python-django
Version: Django 2.2, 1.11
Severity: normal
CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
If django.utils.numberformat.format() -- used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters -- received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().
To avoid this, decimals with more than 200 digits are now formatted using scientific notation.
Thanks Sjoerd Job Postmus for reporting this issue.
Affected supported versions
Django master branch
Django 2.2 (which will be released in a separate blog post later today)
Django 2.1
Django 2.0
Django 1.11
Per our supported versions policy, Django 1.10 and older are no longer supported.
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
Regards,
Herbert
More information about the Python-modules-team
mailing list