Project

General

Profile

Bug #10002

py-django: memory exhaustion in django.utils.numberformat.format() (CVE-2019-6975)

Added by Alicha CH 3 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
-
Start date:
02/21/2019
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Affected versions:
Security IDs:
CVE-2019-6975

Description

A vulnerability was found in Django before versions 2.2b1, 2.1.6, 2.0.11, 1.11.19. If django.utils.numberformat.format(), used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters, received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format(). To avoid this, decimals with more than 200 digits are now formatted using scientific notation.

References:

https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
https://nvd.nist.gov/vuln/detail/CVE-2019-6975


Subtasks

Bug #10003: [3.10] py-django: memory exhaustion in django.utils.numberformat.format() (CVE-2019-6975)ClosedNatanael Copa

Bug #10004: [3.9] py-django: memory exhaustion in django.utils.numberformat.format() (CVE-2019-6975)ClosedNatanael Copa

Bug #10005: [3.8] py-django: memory exhaustion in django.utils.numberformat.format() (CVE-2019-6975)ClosedNatanael Copa

Bug #10006: [3.7] py-django: memory exhaustion in django.utils.numberformat.format() (CVE-2019-6975)ClosedNatanael Copa

Bug #10007: [3.6] py-django: memory exhaustion in django.utils.numberformat.format() (CVE-2019-6975)ClosedNatanael Copa

History

#1 Updated by Leonardo Arena 3 months ago

  • Status changed from New to Resolved

#2 Updated by Alicha CH 3 months ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF