On Mon, 11 Feb 2019 10:15:54 -0200 Herbert Fortes <terb...@gmail.com> wrote:
> Package: python-django > Version: Django 2.2, 1.11 > Severity: normal > > > CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format() > > If django.utils.numberformat.format() -- used by contrib.admin as well as the > the floatformat, filesizeformat, and intcomma templates filters -- received a > Decimal with a large number of digits or a large exponent, it could lead to > significant memory usage due to a call to '{:f}'.format(). > > To avoid this, decimals with more than 200 digits are now formatted using > scientific notation. > > Thanks Sjoerd Job Postmus for reporting this issue. > Affected supported versions > > Django master branch > Django 2.2 (which will be released in a separate blog post later today) > Django 2.1 > Django 2.0 > Django 1.11 > > Per our supported versions policy, Django 1.10 and older are no longer > supported. > > https://www.djangoproject.com/weblog/2019/feb/11/security-releases/ > Broken django 1.11.19 release for python2.7 It looks like the distributed django 1.11.19 release does not match the code in 1.11.19 tag. Component: Uncategorized → Core (Other) Triage Stage: Unreviewed → Accepted Type: Uncategorized → Bug https://code.djangoproject.com/ticket/30175