From: https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
In accordance with `our security release policy <https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team is issuing releases for `Django 5.0.7 <https://docs.djangoproject.com/en/dev/releases/5.0.7/>`_ and `Django 4.2.14 <https://docs.djangoproject.com/en/dev/releases/4.2.14/>`_. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize() ========================================================================= ``urlize()`` and ``urlizetrunc()`` were subject to a potential denial-of-service attack via certain inputs with a very large number of brackets. Thanks to Elias Myllymäki for the report. This issue has severity "moderate" according to the Django security policy. CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords ================================================================================================ The ``django.contrib.auth.backends.ModelBackend.authenticate()`` method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords. This issue has severity "low" according to the Django security policy. CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save() ========================================================================================= Derived classes of the ``django.core.files.storage.Storage`` base class which override ``generate_filename()`` without replicating the file path validations existing in the parent class, allowed for potential directory-traversal via certain inputs when calling ``save()``. Built-in ``Storage`` sub-classes were not affected by this vulnerability. Thanks to Josh Schneier for the report. This issue has severity "low" according to the Django security policy. CVE-2024-39614: Potential denial-of-service in django.utils.translation.get_supported_language_variant() ======================================================================================================== ``get_supported_language_variant()`` was subject to a potential denial-of-service attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to ``get_supported_language_variant()`` is now parsed up to a maximum length of 500 characters. Thanks to `MProgrammer <https://hackerone.com/mprogrammer>`_ for the report. This issue has severity "moderate" according to the Django security policy. Affected supported versions =========================== * Django main branch * Django 5.1 (currently at beta status) * Django 5.0 * Django 4.2 Resolution ========== Patches to resolve the issue have been applied to Django's main, 5.1, 5.0, and 4.2 branches. The patches may be obtained from the following changesets. CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize() ------------------------------------------------------------------------- * On the `main branch < https://github.com/django/django/commit/d6664574539c1531612dea833d264ed5c2b04e1e >`__ * On the `5.1 branch < https://github.com/django/django/commit/44aef996c8d723198e89ca834cb1d746e2e72d77 >`__ * On the `5.0 branch < https://github.com/django/django/commit/7285644640f085f41d60ab0c8ae4e9153f0485db >`__ * On the `4.2 branch < https://github.com/django/django/commit/79f368764295df109a37192f6182fb6f361d85b5 >`__ CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords ------------------------------------------------------------------------------------------------ * On the `main branch < https://github.com/django/django/commit/5d8645857936c142a3973694799c52165e2bdcdb >`__ * On the `5.1 branch < https://github.com/django/django/commit/f5d16483f3abfd33e301fb5c2005b80bd6d05aaf >`__ * On the `5.0 branch < https://github.com/django/django/commit/07cefdee4a9d1fcd9a3a631cbd07c78defd1923b >`__ * On the `4.2 branch < https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14 >`__ CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save() ----------------------------------------------------------------------------------------- * On the `main branch < https://github.com/django/django/commit/fe4a0bbe2088d0c2b331216dad21ccd0bb3ee80d >`__ * On the `5.1 branch < https://github.com/django/django/commit/6d36203648a7e14abc89b9aeb8ae9678535b51fb >`__ * On the `5.0 branch < https://github.com/django/django/commit/9f4f63e9ebb7bf6cb9547ee4e2526b9b96703270 >`__ * On the `4.2 branch < https://github.com/django/django/commit/2b00edc0151a660d1eb86da4059904a0fc4e095e >`__ CVE-2024-39614: Potential denial-of-service in django.utils.translation.get_supported_language_variant() -------------------------------------------------------------------------------------------------------- * On the `main branch < https://github.com/django/django/commit/9e9792228a6bb5d6402a5d645bc3be4cf364aefb >`__ * On the `5.1 branch < https://github.com/django/django/commit/e99ccc43429160828814a72067acf47f5fca9c94 >`__ * On the `5.0 branch < https://github.com/django/django/commit/8e7a44e4bec0f11474699c3111a5e0a45afe7f49 >`__ * On the `4.2 branch < https://github.com/django/django/commit/17358fb35fb7217423d4c4877ccb6d1a3a40b1c3 >`__ The following releases have been issued ======================================= * Django 5.0.7 (`download Django 5.0.7 <https://www.djangoproject.com/m/releases/5.0/Django-5.0.7.tar.gz>`_ | `5.0.7 checksums <https://www.djangoproject.com/m/pgp/Django-5.0.7.checksum.txt>`_) * Django 4.2.14 (`download Django 4.2.14 <https://www.djangoproject.com/m/releases/4.2/Django-4.2.14.tar.gz>`_ | `4.2.14 checksums <https://www.djangoproject.com/m/pgp/Django-4.2.14.checksum.txt>`_) The PGP key ID used for this release is Natalia Bidart: `2EE82A8D9470983E < https://github.com/nessita.gpg>`_ General notes regarding security reporting ========================================== As always, we ask that potential security issues be reported via private email to ``secur...@djangoproject.com``, and not via Django's Trac instance, nor via the Django Forum, nor via the django-developers list. Please see `our security policies <https://www.djangoproject.com/security/>`_ for further information.
