oss-sec mailing list archives
Django CVE-2024-24680: Potential denial-of-service in intcomma template filter
From: Natalia Bidart <nataliabidart () gmail com>
Date: Tue, 6 Feb 2024 12:18:00 -0300
From: https://www.djangoproject.com/weblog/2024/feb/06/security-releases/ In accordance with `our security release policy <https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team is issuing `Django 5.0.2 <https://docs.djangoproject.com/en/dev/releases/5.0.2/>`_, `Django 4.2.10 <https://docs.djangoproject.com/en/dev/releases/4.2.10/>`_, and `Django 3.2.24 <https://docs.djangoproject.com/en/dev/releases/3.2.24/>`_. These releases address the security issue detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter =========================================================================== The ``intcomma`` template filter was subject to a potential denial-of-service attack when used with very long strings. Affected supported versions =========================== * Django main branch * Django 5.0 * Django 4.2 * Django 3.2 Resolution ========== Patches to resolve the issue have been applied to Django's main branch and the 5.0, 4.2, and 3.2 stable branches. The patches may be obtained from the following changesets: * On the `main branch < https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9
`__
* On the `5.0 release branch < https://github.com/django/django/commit/16a8fe18a3b81250f4fa57e3f93f0599dc4895bc
`__
* On the `4.2 release branch < https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2
`__
* On the `3.2 release branch < https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820
`__
The following releases have been issued: * Django 5.0.2 (`download Django 5.0.2 < https://www.djangoproject.com/m/releases/5.0/Django-5.0.2.tar.gz>`_ | `5.0.2 checksums < https://www.djangoproject.com/m/pgp/Django-5.0.2.checksum.txt>`_) * Django 4.2.10 (`download Django 4.2.10 < https://www.djangoproject.com/m/releases/4.2/Django-4.2.10.tar.gz>`_ | `4.2.10 checksums < https://www.djangoproject.com/m/pgp/Django-4.2.10.checksum.txt>`_) * Django 3.2.24 (`download Django 3.2.24 < https://www.djangoproject.com/m/releases/3.2/Django-3.2.24.tar.gz>`_ | `3.2.24 checksums < https://www.djangoproject.com/m/pgp/Django-3.2.24.checksum.txt>`_) The PGP key ID used for this release is Natalia Bidart: `2EE82A8D9470983E < https://github.com/nessita.gpg>`_ General notes regarding security reporting ========================================== As always, we ask that potential security issues be reported via private email to ``security () djangoproject com``, and not via Django's Trac instance, nor via the Django Forum, nor via the django-developers list. Please see `our security policies <https://www.djangoproject.com/security/>`_ for further information.
Current thread:
- Django CVE-2024-24680: Potential denial-of-service in intcomma template filter Natalia Bidart (Feb 06)