In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
This PR contains the following updates:
==3.2.21->==4.2.16GitHub Vulnerability Alerts
CVE-2024-27351
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
CVE-2024-24680
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
CVE-2023-43665
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
CVE-2023-46695
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
CVE-2024-45231
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
Release Notes
django/django (Django)
### [`v4.2.16`](https://redirect.github.com/django/django/compare/4.2.15...4.2.16) [Compare Source](https://redirect.github.com/django/django/compare/4.2.15...4.2.16) ### [`v4.2.15`](https://redirect.github.com/django/django/compare/4.2.14...4.2.15) [Compare Source](https://redirect.github.com/django/django/compare/4.2.14...4.2.15) ### [`v4.2.14`](https://redirect.github.com/django/django/compare/4.2.13...4.2.14) [Compare Source](https://redirect.github.com/django/django/compare/4.2.13...4.2.14) ### [`v4.2.13`](https://redirect.github.com/django/django/compare/4.2.12...4.2.13) [Compare Source](https://redirect.github.com/django/django/compare/4.2.12...4.2.13) ### [`v4.2.12`](https://redirect.github.com/django/django/compare/4.2.11...4.2.12) [Compare Source](https://redirect.github.com/django/django/compare/4.2.11...4.2.12) ### [`v4.2.11`](https://redirect.github.com/django/django/compare/4.2.10...4.2.11) [Compare Source](https://redirect.github.com/django/django/compare/4.2.10...4.2.11) ### [`v4.2.10`](https://redirect.github.com/django/django/compare/4.2.9...4.2.10) [Compare Source](https://redirect.github.com/django/django/compare/4.2.9...4.2.10) ### [`v4.2.9`](https://redirect.github.com/django/django/compare/4.2.8...4.2.9) [Compare Source](https://redirect.github.com/django/django/compare/4.2.8...4.2.9) ### [`v4.2.8`](https://redirect.github.com/django/django/compare/4.2.7...4.2.8) [Compare Source](https://redirect.github.com/django/django/compare/4.2.7...4.2.8) ### [`v4.2.7`](https://redirect.github.com/django/django/compare/4.2.6...4.2.7) [Compare Source](https://redirect.github.com/django/django/compare/4.2.6...4.2.7) ### [`v4.2.6`](https://redirect.github.com/django/django/compare/4.2.5...4.2.6) [Compare Source](https://redirect.github.com/django/django/compare/4.2.5...4.2.6) ### [`v4.2.5`](https://redirect.github.com/django/django/compare/4.2.4...4.2.5) [Compare Source](https://redirect.github.com/django/django/compare/4.2.4...4.2.5) ### [`v4.2.4`](https://redirect.github.com/django/django/compare/4.2.3...4.2.4) [Compare Source](https://redirect.github.com/django/django/compare/4.2.3...4.2.4) ### [`v4.2.3`](https://redirect.github.com/django/django/compare/4.2.2...4.2.3) [Compare Source](https://redirect.github.com/django/django/compare/4.2.2...4.2.3) ### [`v4.2.2`](https://redirect.github.com/django/django/compare/4.2.1...4.2.2) [Compare Source](https://redirect.github.com/django/django/compare/4.2.1...4.2.2) ### [`v4.2.1`](https://redirect.github.com/django/django/compare/4.2...4.2.1) [Compare Source](https://redirect.github.com/django/django/compare/4.2...4.2.1) ### [`v4.2`](https://redirect.github.com/django/django/compare/4.1.13...4.2) [Compare Source](https://redirect.github.com/django/django/compare/4.1.13...4.2) ### [`v4.1.13`](https://redirect.github.com/django/django/compare/4.1.12...4.1.13) [Compare Source](https://redirect.github.com/django/django/compare/4.1.12...4.1.13) ### [`v4.1.12`](https://redirect.github.com/django/django/compare/4.1.11...4.1.12) [Compare Source](https://redirect.github.com/django/django/compare/4.1.11...4.1.12) ### [`v4.1.11`](https://redirect.github.com/django/django/compare/4.1.10...4.1.11) [Compare Source](https://redirect.github.com/django/django/compare/4.1.10...4.1.11) ### [`v4.1.10`](https://redirect.github.com/django/django/compare/4.1.9...4.1.10) [Compare Source](https://redirect.github.com/django/django/compare/4.1.9...4.1.10) ### [`v4.1.9`](https://redirect.github.com/django/django/compare/4.1.8...4.1.9) [Compare Source](https://redirect.github.com/django/django/compare/4.1.8...4.1.9) ### [`v4.1.8`](https://redirect.github.com/django/django/compare/4.1.7...4.1.8) [Compare Source](https://redirect.github.com/django/django/compare/4.1.7...4.1.8) ### [`v4.1.7`](https://redirect.github.com/django/django/compare/4.1.6...4.1.7) [Compare Source](https://redirect.github.com/django/django/compare/4.1.6...4.1.7) ### [`v4.1.6`](https://redirect.github.com/django/django/compare/4.1.5...4.1.6) [Compare Source](https://redirect.github.com/django/django/compare/4.1.5...4.1.6) ### [`v4.1.5`](https://redirect.github.com/django/django/compare/4.1.4...4.1.5) [Compare Source](https://redirect.github.com/django/django/compare/4.1.4...4.1.5) ### [`v4.1.4`](https://redirect.github.com/django/django/compare/4.1.3...4.1.4) [Compare Source](https://redirect.github.com/django/django/compare/4.1.3...4.1.4) ### [`v4.1.3`](https://redirect.github.com/django/django/compare/4.1.2...4.1.3) [Compare Source](https://redirect.github.com/django/django/compare/4.1.2...4.1.3) ### [`v4.1.2`](https://redirect.github.com/django/django/compare/4.1.1...4.1.2) [Compare Source](https://redirect.github.com/django/django/compare/4.1.1...4.1.2) ### [`v4.1.1`](https://redirect.github.com/django/django/compare/4.1...4.1.1) [Compare Source](https://redirect.github.com/django/django/compare/4.1...4.1.1) ### [`v4.1`](https://redirect.github.com/django/django/compare/4.0.10...4.1) [Compare Source](https://redirect.github.com/django/django/compare/4.0.10...4.1) ### [`v4.0.10`](https://redirect.github.com/django/django/compare/4.0.9...4.0.10) [Compare Source](https://redirect.github.com/django/django/compare/4.0.9...4.0.10) ### [`v4.0.9`](https://redirect.github.com/django/django/compare/4.0.8...4.0.9) [Compare Source](https://redirect.github.com/django/django/compare/4.0.8...4.0.9) ### [`v4.0.8`](https://redirect.github.com/django/django/compare/4.0.7...4.0.8) [Compare Source](https://redirect.github.com/django/django/compare/4.0.7...4.0.8) ### [`v4.0.7`](https://redirect.github.com/django/django/compare/4.0.6...4.0.7) [Compare Source](https://redirect.github.com/django/django/compare/4.0.6...4.0.7) ### [`v4.0.6`](https://redirect.github.com/django/django/compare/4.0.5...4.0.6) [Compare Source](https://redirect.github.com/django/django/compare/4.0.5...4.0.6) ### [`v4.0.5`](https://redirect.github.com/django/django/compare/4.0.4...4.0.5) [Compare Source](https://redirect.github.com/django/django/compare/4.0.4...4.0.5) ### [`v4.0.4`](https://redirect.github.com/django/django/compare/4.0.3...4.0.4) [Compare Source](https://redirect.github.com/django/django/compare/4.0.3...4.0.4) ### [`v4.0.3`](https://redirect.github.com/django/django/compare/4.0.2...4.0.3) [Compare Source](https://redirect.github.com/django/django/compare/4.0.2...4.0.3) ### [`v4.0.2`](https://redirect.github.com/django/django/compare/4.0.1...4.0.2) [Compare Source](https://redirect.github.com/django/django/compare/4.0.1...4.0.2) ### [`v4.0.1`](https://redirect.github.com/django/django/compare/4.0...4.0.1) [Compare Source](https://redirect.github.com/django/django/compare/4.0...4.0.1) ### [`v4.0`](https://redirect.github.com/django/django/compare/3.2.25...4.0) [Compare Source](https://redirect.github.com/django/django/compare/3.2.25...4.0) ### [`v3.2.25`](https://redirect.github.com/django/django/compare/3.2.24...3.2.25) [Compare Source](https://redirect.github.com/django/django/compare/3.2.24...3.2.25) ### [`v3.2.24`](https://redirect.github.com/django/django/compare/3.2.23...3.2.24) [Compare Source](https://redirect.github.com/django/django/compare/3.2.23...3.2.24) ### [`v3.2.23`](https://redirect.github.com/django/django/compare/3.2.22...3.2.23) [Compare Source](https://redirect.github.com/django/django/compare/3.2.22...3.2.23) ### [`v3.2.22`](https://redirect.github.com/django/django/compare/3.2.21...3.2.22) [Compare Source](https://redirect.github.com/django/django/compare/3.2.21...3.2.22)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.