[3.8] py-django: memory exhaustion in django.utils.numberformat.format() (CVE-2019-6975)
A vulnerability was found in Django before versions 2.2b1, 2.1.6, 2.0.11, 1.11.19. If django.utils.numberformat.format(), used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters, received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to ‘{:f}’.format(). To avoid this, decimals with more than 200 digits are now formatted using scientific notation.
References:
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
https://nvd.nist.gov/vuln/detail/CVE-2019-6975
(from redmine: issue id 10005, created on 2019-02-21, closed on 2019-03-05)
- Relations:
- parent #10002 (closed)
- Changesets:
- Revision 0bfe3678 on 2019-02-28T14:44:16Z:
main/py-django: security upgrade to 1.11.20 (CVE-2019-6975)
Fixes #10005