[Python-modules-team] Bug#922027: python-django: Django security release
Herbert Fortes
terberh at gmail.com
Mon Feb 11 12:39:26 GMT 2019
On Mon, 11 Feb 2019 10:15:54 -0200 Herbert Fortes <terberh at gmail.com> wrote:
> Package: python-django
> Version: Django 2.2, 1.11
> Severity: normal
>
>
> CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
>
> If django.utils.numberformat.format() -- used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters -- received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().
>
> To avoid this, decimals with more than 200 digits are now formatted using scientific notation.
>
> Thanks Sjoerd Job Postmus for reporting this issue.
> Affected supported versions
>
> Django master branch
> Django 2.2 (which will be released in a separate blog post later today)
> Django 2.1
> Django 2.0
> Django 1.11
>
> Per our supported versions policy, Django 1.10 and older are no longer supported.
>
> https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
>
Broken django 1.11.19 release for python2.7
It looks like the distributed django 1.11.19 release does not match the code in 1.11.19 tag.
Component: Uncategorized → Core (Other)
Triage Stage: Unreviewed → Accepted
Type: Uncategorized → Bug
https://code.djangoproject.com/ticket/30175
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20190211/a198228a/attachment.html>
More information about the Python-modules-team
mailing list