Skip to content

[Security] Bump django from 4.2.10 to 4.2.11

HIFIS Bot requested to merge dependabot/pip/django-4.2.11 into master

Bumps django from 4.2.10 to 4.2.11. This update includes a security fix.

Vulnerabilities fixed

Regular expression denial-of-service in Django In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.

Patched versions: 4.2.11 Affected versions: >= 4.2, < 4.2.11

Commits
  • 61a986f [4.2.x] Bumped version for 4.2.11 release.
  • 3c9a277 [4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().
  • 7973951 [4.2.x] Added release date for 4.2.11 and 3.2.25.
  • 86d8034 [4.2.x] Refs #34900, Refs #34118 -- Updated assertion in test_skip_class_unle...
  • cb173bb [4.2.x] Fixed #35172 -- Fixed intcomma for string floats.
  • 227ef29 [4.2.x] Added CVE-2024-24680 to security archive.
  • e2f1907 [4.2.x] Post release version bump.
  • See full diff in compare view

Merge request reports

A HIFIS Service | Privacy | Imprint | Support | Documentation | Changelog | Status