On Mon, 11 Feb 2019 10:15:54 -0200 Herbert Fortes <terb...@gmail.com> wrote:
> Package: python-django
> Version: Django 2.2, 1.11
> Severity: normal
>
>
> CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
>
> If django.utils.numberformat.format() -- used by contrib.admin as well as the
> the floatformat, filesizeformat, and intcomma templates filters -- received a
> Decimal with a large number of digits or a large exponent, it could lead to
> significant memory usage due to a call to '{:f}'.format().
>
> To avoid this, decimals with more than 200 digits are now formatted using
> scientific notation.
>
> Thanks Sjoerd Job Postmus for reporting this issue.
> Affected supported versions
>
> Django master branch
> Django 2.2 (which will be released in a separate blog post later today)
> Django 2.1
> Django 2.0
> Django 1.11
>
> Per our supported versions policy, Django 1.10 and older are no longer
> supported.
>
> https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
>
Broken django 1.11.19 release for python2.7
It looks like the distributed django 1.11.19 release does not match the code in
1.11.19 tag.
Component: Uncategorized → Core (Other)
Triage Stage: Unreviewed → Accepted
Type: Uncategorized → Bug
https://code.djangoproject.com/ticket/30175
