[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2019-6975 -- Django fixed memory exhaustion in utils.numberformat.format().
From: Carlton Gibson <carlton.gibson () gmail ! com>
Date: 2019-02-11 11:05:50
Message-ID: B20E8928-1375-490B-B6B9-97FBE4A19B51 () gmail ! com
[Download RAW message or body]
In accordance with our security release policy, the Django team is issuing Django 1.11.19, \
Django 2.1.6, and Django 2.0.11. These releases addresses the security issue detailed below. We \
encourage all users of Django to upgrade as soon as possible.
CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
If django.utils.numberformat.format() -- used by contrib.admin as well as the the floatformat, \
filesizeformat, and intcomma templates filters -- received a Decimal with a large number of \
digits or a large exponent, it could lead to significant memory usage due to a call to \
'{:f}'.format().
To avoid this, decimals with more than 200 digits are now formatted using scientific notation.
See Django blog for more details and download links:
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/ \
<https://www.djangoproject.com/weblog/2019/feb/11/security-releases/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic