====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN040

_____________________________________________________________________

DATE                : 12/02/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Django versions prior to 1.11.19,
                                        2.1.6, 2.0.11.

=====================================================================
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
_____________________________________________________________________

In accordance with our security release policy, the Django team is
issuing Django 1.11.19, Django 2.1.6, and Django
2.0.11. These releases addresses the security issue detailed below. We
encourage all users of Django to upgrade as soon
as possible.

CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()

If django.utils.numberformat.format() -- used by contrib.admin as well
as the the floatformat, filesizeformat, and
intcomma templates filters -- received a Decimal with a large number of
digits or a large exponent, it could lead to
significant memory usage due to a call to '{:f}'.format().

To avoid this, decimals with more than 200 digits are now formatted
using scientific notation.

Thanks Sjoerd Job Postmus for reporting this issue.


Affected supported versions

    Django master branch
    Django 2.2 (which will be released in a separate blog post later
      today)
    Django 2.1
    Django 2.0
    Django 1.11

Per our supported versions policy, Django 1.10 and older are no longer
supported.


Resolution

Patches to resolve the issue have been applied to Django's master branch
and the 2.2, 2.1, 2.0, and 1.11 release branches. The patches may be
obtained from the following changesets:

    On the master branch
    On the 2.2 branch
    On the 2.1 release branch
    On the 2.0 release branch
    On the 1.11 release branch

The following releases have been issued:

    Django 1.11.19 (download Django 1.11.19 | 1.11.19 checksums)
    Django 2.0.11 (download Django 2.0.11 | 2.0.11 checksums)
    Django 2.1.6 (download Django 2.1.6 | 2.1.6 checksums)

The PGP key ID used for these releases is Carlton Gibson:
E17DF5C82B4F9D00.


General notes regarding security reporting

As always, we ask that potential security issues be reported via private
email to security@djangoproject.com, and not via Django's Trac instance
or the django-developers list. Please see our security policies for
further information.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================