[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2019-6975 -- Django fixed memory exhaustion in utils.numberformat.format().
From:       Carlton Gibson <carlton.gibson () gmail ! com>
Date:       2019-02-11 11:05:50
Message-ID: B20E8928-1375-490B-B6B9-97FBE4A19B51 () gmail ! com
[Download RAW message or body]


In accordance with our security release policy, the Django team is issuing Django 1.11.19, \
Django 2.1.6, and Django 2.0.11. These releases addresses the security issue detailed below. We \
encourage all users of Django to upgrade as soon as possible.

CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()

If django.utils.numberformat.format() -- used by contrib.admin as well as the the floatformat, \
filesizeformat, and intcomma templates filters -- received a Decimal with a large number of \
digits or a large exponent, it could lead to significant memory usage due to a call to \
'{:f}'.format().

To avoid this, decimals with more than 200 digits are now formatted using scientific notation.

See Django blog for more details and download links: 
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/ \
<https://www.djangoproject.com/weblog/2019/feb/11/security-releases/>



[prev in list] [next in list] [prev in thread] [next in thread]