我的书签
添加书签
移除书签- Django 5.0.8 release notes
- CVE-2024-41989: Memory exhaustion in
django.utils.numberformat.floatformat() - CVE-2024-41990: Potential denial-of-service vulnerability in
django.utils.html.urlize() - CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize()andAdminURLFieldWidget - CVE-2024-42005: Potential SQL injection in
QuerySet.values()andvalues_list() - Bugfixes
- CVE-2024-41989: Memory exhaustion in
Django 5.0.8 release notes
August 6, 2024
Django 5.0.8 fixes three security issues with severity “moderate”, one security issue with severity “high”, and several bugs in 5.0.7.
CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat()
If floatformat received a string representation of a number in scientific notation with a large exponent, it could lead to significant memory consumption.
To avoid this, decimals with more than 200 digits are now returned as is.
CVE-2024-41990: Potential denial-of-service vulnerability in django.utils.html.urlize()
urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget
urlize, urlizetrunc, and AdminURLFieldWidget were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()
QuerySet.values() and values_list() methods on models with a JSONField were subject to SQL injection in column aliases, via a crafted JSON object key as a passed *arg.
Bugfixes
- Added missing validation for
UniqueConstraint(nulls_distinct=False)when using*expressions(#35594). - Fixed a regression in Django 5.0 where
ModelAdmin.action_checkboxcould break the admin changelist HTML page when rendering a model instance with a__html__method (#35606). - Fixed a crash when creating a model with a
Field.db_defaultand aMeta.constraintsconstraint composed of__endswith,__startswith, or__containslookups (#35625). - Fixed a regression in Django 5.0.7 that caused a crash in
LocaleMiddlewarewhen processing a language code over 500 characters (#35627). - Fixed a bug in Django 5.0 that caused a system check crash when
ModelAdmin.date_hierarchywas aGeneratedFieldwith anoutput_fieldofDateFieldorDateTimeField(#35628). - Fixed a bug in Django 5.0 which caused constraint validation to either crash or incorrectly raise validation errors for constraints referring to fields using
Field.db_default(#35638). - Fixed a crash in Django 5.0 when saving a model containing a
FileFieldwith adb_defaultset (#35657).
