django/docs/releases/4.2.14.txt

===========================
Django 4.2.14 release notes
===========================

*July 9, 2024*

Django 4.2.14 fixes two security issues with severity "moderate" and two
security issues with severity "low" in 4.2.13.

CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via certain inputs with a very large number of
brackets.

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
================================================================================================

The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
allowed remote attackers to enumerate users via a timing attack involving login
requests for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
====================================================================

Derived classes of the :class:`~django.core.files.storage.Storage` base class
which override :meth:`generate_filename()
<django.core.files.storage.Storage.generate_filename()>` without replicating
the file path validations existing in the parent class, allowed for potential
directory-traversal via certain inputs when calling :meth:`save()
<django.core.files.storage.Storage.save()>`.

Built-in ``Storage`` sub-classes were not affected by this vulnerability.
Added stub release notes and release date for 5.0.7 and 4.2.14. 2024-07-03 19:09:34 +02:00			`===========================`
			`Django 4.2.14 release notes`
			`===========================`

			`July 9, 2024`

			`Django 4.2.14 fixes two security issues with severity "moderate" and two`
			`security issues with severity "low" in 4.2.13.`

Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2024-06-24 15:30:59 +02:00			CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
			`===========================================================================================`

			:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
			`denial-of-service attack via certain inputs with a very large number of`
			`brackets.`
Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review. 2024-06-15 04:12:58 +02:00
			`CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords`
			`================================================================================================`

			The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
			`allowed remote attackers to enumerate users via a timing attack involving login`
			`requests for users with unusable passwords.`
Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method. Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews. 2024-03-20 17:55:21 +01:00
			CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
			`====================================================================`

			Derived classes of the :class:`~django.core.files.storage.Storage` base class
			which override :meth:`generate_filename()
			<django.core.files.storage.Storage.generate_filename()>` without replicating
			`the file path validations existing in the parent class, allowed for potential`
			directory-traversal via certain inputs when calling :meth:`save()
			<django.core.files.storage.Storage.save()>`.

			Built-in ``Storage`` sub-classes were not affected by this vulnerability.