0
0
mirror of https://github.com/django/django.git synced 2024-11-25 07:59:34 +01:00
django/docs/releases/4.2.11.txt
Shai Berger f6ad8c7676 Refs CVE-2024-27351 -- Forwardported release notes and tests.
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-03-04 08:22:00 +01:00

23 lines
863 B
Plaintext

===========================
Django 4.2.11 release notes
===========================
*March 4, 2024*
Django 4.2.11 fixes a security issue with severity "moderate" and a regression
in 4.2.10.
CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
=========================================================================================================
``django.utils.text.Truncator.words()`` method (with ``html=True``) and
:tfilter:`truncatewords_html` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to :cve:`2019-14232` and :cve:`2023-43665`).
Bugfixes
========
* Fixed a regression in Django 4.2.10 where ``intcomma`` template filter could
return a leading comma for string representation of floats (:ticket:`35172`).