django/docs/releases/4.2.16.txt

===========================
Django 4.2.16 release notes
===========================

*September 3, 2024*

Django 4.2.16 fixes one security issue with severity "moderate" and one
security issue with severity "low" in 4.2.15.

CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-45231: Potential user email enumeration via response status on password reset
======================================================================================

Due to unhandled email sending failures, the
:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes.

To mitigate this risk, exceptions occurring during password reset email sending
are now handled and logged using the :ref:`django-contrib-auth-logger` logger.
Added stub release notes and release date for 5.1.1, 5.0.9, and 4.2.16. 2024-08-27 14:20:59 +02:00			`===========================`
			`Django 4.2.16 release notes`
			`===========================`

			`September 3, 2024`

			`Django 4.2.16 fixes one security issue with severity "moderate" and one`
Fixed grammatical error in stub release notes for upcoming security release. 2024-08-27 14:46:12 +02:00			`security issue with severity "low" in 4.2.15.`
Added stub release notes and release date for 5.1.1, 5.0.9, and 4.2.16. 2024-08-27 14:20:59 +02:00
Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. 2024-08-12 15:17:57 +02:00			CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
			`===========================================================================================`

			:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
			`denial-of-service attack via very large inputs with a specific sequence of`
			`characters.`
Fixed CVE-2024-45231 -- Avoided server error on password reset when email sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews. 2024-08-19 19:47:38 +02:00
			`CVE-2024-45231: Potential user email enumeration via response status on password reset`
			`======================================================================================`

			`Due to unhandled email sending failures, the`
			:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
			`attackers to enumerate user emails by issuing password reset requests and`
			`observing the outcomes.`

			`To mitigate this risk, exceptions occurring during password reset email sending`
			are now handled and logged using the :ref:`django-contrib-auth-logger` logger.