"Fossies" - the Fresh Open Source Software Archive

Member "Django-1.11.25/docs/releases/1.11.11.txt" (1 Oct 2019, 1435 Bytes) of package /linux/www/Django-1.11.25.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 ============================
    2 Django 1.11.11 release notes
    3 ============================
    4 
    5 *March 6, 2018*
    6 
    7 Django 1.11.11 fixes two security issues in 1.11.10.
    8 
    9 CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
   10 ===============================================================================================
   11 
   12 The ``django.utils.html.urlize()`` function was extremely slow to evaluate
   13 certain inputs due to catastrophic backtracking vulnerabilities in two regular
   14 expressions. The ``urlize()`` function is used to implement the ``urlize`` and
   15 ``urlizetrunc`` template filters, which were thus vulnerable.
   16 
   17 The problematic regular expressions are replaced with parsing logic that
   18 behaves similarly.
   19 
   20 CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters
   21 ==================================================================================================================
   22 
   23 If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were
   24 passed the ``html=True`` argument, they were extremely slow to evaluate certain
   25 inputs due to a catastrophic backtracking vulnerability in a regular
   26 expression. The ``chars()`` and ``words()`` methods are used to implement the
   27 ``truncatechars_html`` and ``truncatewords_html`` template filters, which were
   28 thus vulnerable.
   29 
   30 The backtracking problem in the regular expression is fixed.