Django security releases issued: 2.1.6, 2.0.11 and 1.11.19

Posted by Carlton Gibson on February 11, 2019

In accordance with our security release policy, the Django team is issuing Django 1.11.19, Django 2.1.6, and Django 2.0.11. These releases addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()

If django.utils.numberformat.format() -- used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters -- received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().

To avoid this, decimals with more than 200 digits are now formatted using scientific notation.

Thanks Sjoerd Job Postmus for reporting this issue.

Affected supported versions

  • Django master branch
  • Django 2.2 (which will be released in a separate blog post later today)
  • Django 2.1
  • Django 2.0
  • Django 1.11

Per our supported versions policy, Django 1.10 and older are no longer supported.

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.2, 2.1, 2.0, and 1.11 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

Update: A packaging error affected these releases. Please use Django 1.11.20 (download Django 1.11.20 | 1.11.20 checksums), Django 2.0.13 (download Django 2.0.13 | 2.0.13 checksums), or Django 2.1.7 (download Django 2.1.7 | 2.1.7 checksums) or later versions.

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

Back to Top