Django CVE-2024-24680: Potential denial-of-service in intcomma template filter

[Natalia Bidart <nataliabidart () gmail com>]

From: https://www.djangoproject.com/weblog/2024/feb/06/security-releases/

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django
team
is issuing
`Django 5.0.2 <https://docs.djangoproject.com/en/dev/releases/5.0.2/>`_,
`Django 4.2.10 <https://docs.djangoproject.com/en/dev/releases/4.2.10/>`_,
and
`Django 3.2.24 <https://docs.djangoproject.com/en/dev/releases/3.2.24/>`_.
These releases address the security issue detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
===========================================================================

The ``intcomma`` template filter was subject to a potential
denial-of-service
attack when used with very long strings.

Affected supported versions
===========================

* Django main branch
* Django 5.0
* Django 4.2
* Django 3.2

Resolution
==========

Patches to resolve the issue have been applied to Django's main branch and
the
5.0, 4.2, and 3.2 stable branches. The patches may be obtained from the
following changesets:

* On the `main branch <
https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9
> `__
* On the `5.0 release branch <
https://github.com/django/django/commit/16a8fe18a3b81250f4fa57e3f93f0599dc4895bc
> `__
* On the `4.2 release branch <
https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2
> `__
* On the `3.2 release branch <
https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820
> `__

The following releases have been issued:

* Django 5.0.2 (`download Django 5.0.2 <
https://www.djangoproject.com/m/releases/5.0/Django-5.0.2.tar.gz>`_ |
`5.0.2 checksums <
https://www.djangoproject.com/m/pgp/Django-5.0.2.checksum.txt>`_)
* Django 4.2.10 (`download Django 4.2.10 <
https://www.djangoproject.com/m/releases/4.2/Django-4.2.10.tar.gz>`_ |
`4.2.10 checksums <
https://www.djangoproject.com/m/pgp/Django-4.2.10.checksum.txt>`_)
* Django 3.2.24 (`download Django 3.2.24 <
https://www.djangoproject.com/m/releases/3.2/Django-3.2.24.tar.gz>`_ |
`3.2.24 checksums <
https://www.djangoproject.com/m/pgp/Django-3.2.24.checksum.txt>`_)

The PGP key ID used for this release is Natalia Bidart: `2EE82A8D9470983E <
https://github.com/nessita.gpg>`_

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via private
email
to ``security () djangoproject com``, and not via Django's Trac instance, nor
via
the Django Forum, nor via the django-developers list. Please see `our
security
policies <https://www.djangoproject.com/security/>`_ for further
information.