Project

General

Profile

Bug #10005

Bug #10002: py-django: memory exhaustion in django.utils.numberformat.format() (CVE-2019-6975)

[3.8] py-django: memory exhaustion in django.utils.numberformat.format() (CVE-2019-6975)

Added by Alicha CH 4 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
02/21/2019
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:
CVE-2019-6975

Description

A vulnerability was found in Django before versions 2.2b1, 2.1.6, 2.0.11, 1.11.19. If django.utils.numberformat.format(), used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters, received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format(). To avoid this, decimals with more than 200 digits are now formatted using scientific notation.

References:

https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
https://nvd.nist.gov/vuln/detail/CVE-2019-6975

Associated revisions

Revision 0bfe3678 (diff)
Added by Leonardo Arena 4 months ago

main/py-django: security upgrade to 1.11.20 (CVE-2019-6975)

Fixes #10005

History

#1 Updated by Anonymous 4 months ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#2 Updated by Alicha CH 4 months ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF