From 2d230132d79221d0358ae51bb2c17c1f46e81bf6 Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Wed, 4 Dec 2024 14:30:58 +0100
Subject: [PATCH 1/6] [5.0.x] Post-release version bump.
---
django/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/django/__init__.py b/django/__init__.py
index 45efb4d5d76a..c90a5e1a5736 100644
--- a/django/__init__.py
+++ b/django/__init__.py
@@ -1,6 +1,6 @@
from django.utils.version import get_version
-VERSION = (5, 0, 10, "final", 0)
+VERSION = (5, 0, 11, "alpha", 0)
__version__ = get_version(VERSION)
From cb115d85e2d1d3b46ddcc42d2dcf45c1cb0f3e45 Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Wed, 4 Dec 2024 16:30:03 +0100
Subject: [PATCH 2/6] [5.0.x] Added CVE-2024-53907 and CVE-2024-53908 to
security archive.
Backport of 595cb4a7aeb1ba1770d10d601ce9a2b4e487c46e from main.
---
docs/releases/security.txt | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/docs/releases/security.txt b/docs/releases/security.txt
index c99953a81bf6..7b2baad2f679 100644
--- a/docs/releases/security.txt
+++ b/docs/releases/security.txt
@@ -36,6 +36,28 @@ Issues under Django's security process
All security issues have been handled under versions of Django's security
process. These are listed below.
+December 4, 2024 - :cve:`2024-53907`
+------------------------------------
+
+Potential denial-of-service in django.utils.html.strip_tags().
+`Full description
+`__
+
+* Django 5.1 :commit:`(patch) `
+* Django 5.0 :commit:`(patch) `
+* Django 4.2 :commit:`(patch) <790eb058b0716c536a2f2e8d1c6d5079d776c22b>`
+
+December 4, 2024 - :cve:`2024-53908`
+------------------------------------
+
+Potential SQL injection in HasKey(lhs, rhs) on Oracle.
+`Full description
+`__
+
+* Django 5.1 :commit:`(patch) <6943d61818e63e77b65d8b1ae65941e8f04bd87b>`
+* Django 5.0 :commit:`(patch) `
+* Django 4.2 :commit:`(patch) <7376bcbf508883282ffcc0f0fac5cf0ed2d6cbc5>`
+
September 3, 2024 - :cve:`2024-45231`
-------------------------------------
From 392817a25870458912a76ce53218bfdb8a9f8e97 Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Wed, 4 Dec 2024 16:51:46 +0100
Subject: [PATCH 3/6] [5.0.x] Cleaned up CVE-2024-53907 and CVE-2024-53908
security archive descriptions.
Backport of eb665e076ca3417eb0ac654aed9e9c1853c5af84 from main.
---
docs/releases/security.txt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/releases/security.txt b/docs/releases/security.txt
index 7b2baad2f679..95a6e003b217 100644
--- a/docs/releases/security.txt
+++ b/docs/releases/security.txt
@@ -39,7 +39,7 @@ process. These are listed below.
December 4, 2024 - :cve:`2024-53907`
------------------------------------
-Potential denial-of-service in django.utils.html.strip_tags().
+Potential denial-of-service in ``django.utils.html.strip_tags()``.
`Full description
`__
@@ -50,7 +50,7 @@ Potential denial-of-service in django.utils.html.strip_tags().
December 4, 2024 - :cve:`2024-53908`
------------------------------------
-Potential SQL injection in HasKey(lhs, rhs) on Oracle.
+Potential SQL injection in ``HasKey(lhs, rhs)`` on Oracle.
`Full description
`__
From 5e63880cb854844a811b4ee062ee9ac695f6809e Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Tue, 7 Jan 2025 12:28:39 -0300
Subject: [PATCH 4/6] [5.0.x] Added stub release notes and release date for
5.0.11 and 4.2.18.
Backport of 53e21eebf22bc05c7fa30820b453b7f345b7af40 from main.
---
docs/releases/4.2.18.txt | 7 +++++++
docs/releases/5.0.11.txt | 7 +++++++
docs/releases/index.txt | 2 ++
3 files changed, 16 insertions(+)
create mode 100644 docs/releases/4.2.18.txt
create mode 100644 docs/releases/5.0.11.txt
diff --git a/docs/releases/4.2.18.txt b/docs/releases/4.2.18.txt
new file mode 100644
index 000000000000..ae0c4e3334fb
--- /dev/null
+++ b/docs/releases/4.2.18.txt
@@ -0,0 +1,7 @@
+===========================
+Django 4.2.18 release notes
+===========================
+
+*January 14, 2025*
+
+Django 4.2.18 fixes a security issue with severity "moderate" in 4.2.17.
diff --git a/docs/releases/5.0.11.txt b/docs/releases/5.0.11.txt
new file mode 100644
index 000000000000..c284b51435be
--- /dev/null
+++ b/docs/releases/5.0.11.txt
@@ -0,0 +1,7 @@
+===========================
+Django 5.0.11 release notes
+===========================
+
+*January 14, 2025*
+
+Django 5.0.11 fixes a security issue with severity "moderate" in 5.0.10.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 8308705f3a17..cd756801803f 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 5.0.11
5.0.10
5.0.9
5.0.8
@@ -43,6 +44,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 4.2.18
4.2.17
4.2.16
4.2.15
From e8d4a2005955dcf962193600b53bf461b190b455 Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Mon, 6 Jan 2025 15:51:45 -0300
Subject: [PATCH 5/6] [5.0.x] Fixed CVE-2024-56374 -- Mitigated potential DoS
in IPv6 validation.
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
Felisiak for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
---
django/db/models/fields/__init__.py | 6 ++--
django/forms/fields.py | 7 ++--
django/utils/ipv6.py | 19 +++++++++--
docs/ref/forms/fields.txt | 13 ++++++--
docs/releases/4.2.18.txt | 12 +++++++
docs/releases/5.0.11.txt | 12 +++++++
.../field_tests/test_genericipaddressfield.py | 33 ++++++++++++++++++-
tests/utils_tests/test_ipv6.py | 31 +++++++++++++++--
8 files changed, 119 insertions(+), 14 deletions(-)
diff --git a/django/db/models/fields/__init__.py b/django/db/models/fields/__init__.py
index 81e32f2d15da..bb3f64475b1b 100644
--- a/django/db/models/fields/__init__.py
+++ b/django/db/models/fields/__init__.py
@@ -30,7 +30,7 @@
)
from django.utils.duration import duration_microseconds, duration_string
from django.utils.functional import Promise, cached_property
-from django.utils.ipv6 import clean_ipv6_address
+from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
from django.utils.itercompat import is_iterable
from django.utils.text import capfirst
from django.utils.translation import gettext_lazy as _
@@ -2220,7 +2220,7 @@ def __init__(
invalid_error_message,
) = validators.ip_address_validators(protocol, unpack_ipv4)
self.default_error_messages["invalid"] = invalid_error_message
- kwargs["max_length"] = 39
+ kwargs["max_length"] = MAX_IPV6_ADDRESS_LENGTH
super().__init__(verbose_name, name, *args, **kwargs)
def check(self, **kwargs):
@@ -2247,7 +2247,7 @@ def deconstruct(self):
kwargs["unpack_ipv4"] = self.unpack_ipv4
if self.protocol != "both":
kwargs["protocol"] = self.protocol
- if kwargs.get("max_length") == 39:
+ if kwargs.get("max_length") == self.max_length:
del kwargs["max_length"]
return name, path, args, kwargs
diff --git a/django/forms/fields.py b/django/forms/fields.py
index f00d567a3a3e..fe6cacc6da66 100644
--- a/django/forms/fields.py
+++ b/django/forms/fields.py
@@ -46,7 +46,7 @@
from django.utils.dateparse import parse_datetime, parse_duration
from django.utils.deprecation import RemovedInDjango60Warning
from django.utils.duration import duration_string
-from django.utils.ipv6 import clean_ipv6_address
+from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
from django.utils.regex_helper import _lazy_re_compile
from django.utils.translation import gettext_lazy as _
from django.utils.translation import ngettext_lazy
@@ -1295,6 +1295,7 @@ def __init__(self, *, protocol="both", unpack_ipv4=False, **kwargs):
self.default_validators = validators.ip_address_validators(
protocol, unpack_ipv4
)[0]
+ kwargs.setdefault("max_length", MAX_IPV6_ADDRESS_LENGTH)
super().__init__(**kwargs)
def to_python(self, value):
@@ -1302,7 +1303,9 @@ def to_python(self, value):
return ""
value = value.strip()
if value and ":" in value:
- return clean_ipv6_address(value, self.unpack_ipv4)
+ return clean_ipv6_address(
+ value, self.unpack_ipv4, max_length=self.max_length
+ )
return value
diff --git a/django/utils/ipv6.py b/django/utils/ipv6.py
index 88dd6ecb4b84..de41a97f7210 100644
--- a/django/utils/ipv6.py
+++ b/django/utils/ipv6.py
@@ -3,9 +3,22 @@
from django.core.exceptions import ValidationError
from django.utils.translation import gettext_lazy as _
+MAX_IPV6_ADDRESS_LENGTH = 39
+
+
+def _ipv6_address_from_str(ip_str, max_length=MAX_IPV6_ADDRESS_LENGTH):
+ if len(ip_str) > max_length:
+ raise ValueError(
+ f"Unable to convert {ip_str} to an IPv6 address (value too long)."
+ )
+ return ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
+
def clean_ipv6_address(
- ip_str, unpack_ipv4=False, error_message=_("This is not a valid IPv6 address.")
+ ip_str,
+ unpack_ipv4=False,
+ error_message=_("This is not a valid IPv6 address."),
+ max_length=MAX_IPV6_ADDRESS_LENGTH,
):
"""
Clean an IPv6 address string.
@@ -24,7 +37,7 @@ def clean_ipv6_address(
Return a compressed IPv6 address or the same value.
"""
try:
- addr = ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
+ addr = _ipv6_address_from_str(ip_str, max_length)
except ValueError:
raise ValidationError(error_message, code="invalid")
@@ -41,7 +54,7 @@ def is_valid_ipv6_address(ip_str):
Return whether or not the `ip_str` string is a valid IPv6 address.
"""
try:
- ipaddress.IPv6Address(ip_str)
+ _ipv6_address_from_str(ip_str)
except ValueError:
return False
return True
diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt
index 70c59008f737..82ed92f915a5 100644
--- a/docs/ref/forms/fields.txt
+++ b/docs/ref/forms/fields.txt
@@ -774,7 +774,7 @@ For each field, we describe the default widget used if you don't specify
* Empty value: ``''`` (an empty string)
* Normalizes to: A string. IPv6 addresses are normalized as described below.
* Validates that the given value is a valid IP address.
- * Error message keys: ``required``, ``invalid``
+ * Error message keys: ``required``, ``invalid``, ``max_length``
The IPv6 address normalization follows :rfc:`4291#section-2.2` section 2.2,
including using the IPv4 format suggested in paragraph 3 of that section, like
@@ -782,7 +782,7 @@ For each field, we describe the default widget used if you don't specify
``2001::1``, and ``::ffff:0a0a:0a0a`` to ``::ffff:10.10.10.10``. All characters
are converted to lowercase.
- Takes two optional arguments:
+ Takes three optional arguments:
.. attribute:: protocol
@@ -797,6 +797,15 @@ For each field, we describe the default widget used if you don't specify
``192.0.2.1``. Default is disabled. Can only be used
when ``protocol`` is set to ``'both'``.
+ .. attribute:: max_length
+
+ Defaults to 39, and behaves the same way as it does for
+ :class:`CharField`.
+
+ .. versionchanged:: 4.2.18
+
+ The default value for ``max_length`` was set to 39 characters.
+
``ImageField``
--------------
diff --git a/docs/releases/4.2.18.txt b/docs/releases/4.2.18.txt
index ae0c4e3334fb..fef91d9150bf 100644
--- a/docs/releases/4.2.18.txt
+++ b/docs/releases/4.2.18.txt
@@ -5,3 +5,15 @@ Django 4.2.18 release notes
*January 14, 2025*
Django 4.2.18 fixes a security issue with severity "moderate" in 4.2.17.
+
+CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
+============================================================================
+
+Lack of upper bound limit enforcement in strings passed when performing IPv6
+validation could lead to a potential denial-of-service attack. The undocumented
+and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
+vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field,
+which has now been updated to define a ``max_length`` of 39 characters.
+
+The :class:`django.db.models.GenericIPAddressField` model field was not
+affected.
diff --git a/docs/releases/5.0.11.txt b/docs/releases/5.0.11.txt
index c284b51435be..e5cb68488840 100644
--- a/docs/releases/5.0.11.txt
+++ b/docs/releases/5.0.11.txt
@@ -5,3 +5,15 @@ Django 5.0.11 release notes
*January 14, 2025*
Django 5.0.11 fixes a security issue with severity "moderate" in 5.0.10.
+
+CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
+============================================================================
+
+Lack of upper bound limit enforcement in strings passed when performing IPv6
+validation could lead to a potential denial-of-service attack. The undocumented
+and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
+vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field,
+which has now been updated to define a ``max_length`` of 39 characters.
+
+The :class:`django.db.models.GenericIPAddressField` model field was not
+affected.
diff --git a/tests/forms_tests/field_tests/test_genericipaddressfield.py b/tests/forms_tests/field_tests/test_genericipaddressfield.py
index 80722f5c65c1..ef00a727a468 100644
--- a/tests/forms_tests/field_tests/test_genericipaddressfield.py
+++ b/tests/forms_tests/field_tests/test_genericipaddressfield.py
@@ -1,6 +1,7 @@
from django.core.exceptions import ValidationError
from django.forms import GenericIPAddressField
from django.test import SimpleTestCase
+from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH
class GenericIPAddressFieldTest(SimpleTestCase):
@@ -125,6 +126,35 @@ def test_generic_ipaddress_as_ipv6_only(self):
):
f.clean("1:2")
+ def test_generic_ipaddress_max_length_custom(self):
+ # Valid IPv4-mapped IPv6 address, len 45.
+ addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228"
+ f = GenericIPAddressField(max_length=len(addr))
+ f.clean(addr)
+
+ def test_generic_ipaddress_max_length_validation_error(self):
+ # Valid IPv4-mapped IPv6 address, len 45.
+ addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228"
+
+ cases = [
+ ({}, MAX_IPV6_ADDRESS_LENGTH), # Default value.
+ ({"max_length": len(addr) - 1}, len(addr) - 1),
+ ]
+ for kwargs, max_length in cases:
+ max_length_plus_one = max_length + 1
+ msg = (
+ f"Ensure this value has at most {max_length} characters (it has "
+ f"{max_length_plus_one}).'"
+ )
+ with self.subTest(max_length=max_length):
+ f = GenericIPAddressField(**kwargs)
+ with self.assertRaisesMessage(ValidationError, msg):
+ f.clean("x" * max_length_plus_one)
+ with self.assertRaisesMessage(
+ ValidationError, "This is not a valid IPv6 address."
+ ):
+ f.clean(addr)
+
def test_generic_ipaddress_as_generic_not_required(self):
f = GenericIPAddressField(required=False)
self.assertEqual(f.clean(""), "")
@@ -150,7 +180,8 @@ def test_generic_ipaddress_as_generic_not_required(self):
f.clean(" fe80::223:6cff:fe8a:2e8a "), "fe80::223:6cff:fe8a:2e8a"
)
self.assertEqual(
- f.clean(" 2a02::223:6cff:fe8a:2e8a "), "2a02::223:6cff:fe8a:2e8a"
+ f.clean(" " * MAX_IPV6_ADDRESS_LENGTH + " 2a02::223:6cff:fe8a:2e8a "),
+ "2a02::223:6cff:fe8a:2e8a",
)
with self.assertRaisesMessage(
ValidationError, "'This is not a valid IPv6 address.'"
diff --git a/tests/utils_tests/test_ipv6.py b/tests/utils_tests/test_ipv6.py
index bf78ed91c08f..1754c7b3569b 100644
--- a/tests/utils_tests/test_ipv6.py
+++ b/tests/utils_tests/test_ipv6.py
@@ -1,9 +1,16 @@
-import unittest
+import traceback
+from io import StringIO
-from django.utils.ipv6 import clean_ipv6_address, is_valid_ipv6_address
+from django.core.exceptions import ValidationError
+from django.test import SimpleTestCase
+from django.utils.ipv6 import (
+ MAX_IPV6_ADDRESS_LENGTH,
+ clean_ipv6_address,
+ is_valid_ipv6_address,
+)
-class TestUtilsIPv6(unittest.TestCase):
+class TestUtilsIPv6(SimpleTestCase):
def test_validates_correct_plain_address(self):
self.assertTrue(is_valid_ipv6_address("fe80::223:6cff:fe8a:2e8a"))
self.assertTrue(is_valid_ipv6_address("2a02::223:6cff:fe8a:2e8a"))
@@ -64,3 +71,21 @@ def test_unpacks_ipv4(self):
self.assertEqual(
clean_ipv6_address("::ffff:18.52.18.52", unpack_ipv4=True), "18.52.18.52"
)
+
+ def test_address_too_long(self):
+ addresses = [
+ "0000:0000:0000:0000:0000:ffff:192.168.100.228", # IPv4-mapped IPv6 address
+ "0000:0000:0000:0000:0000:ffff:192.168.100.228%123456", # % scope/zone
+ "fe80::223:6cff:fe8a:2e8a:1234:5678:00000", # MAX_IPV6_ADDRESS_LENGTH + 1
+ ]
+ msg = "This is the error message."
+ value_error_msg = "Unable to convert %s to an IPv6 address (value too long)."
+ for addr in addresses:
+ with self.subTest(addr=addr):
+ self.assertGreater(len(addr), MAX_IPV6_ADDRESS_LENGTH)
+ self.assertEqual(is_valid_ipv6_address(addr), False)
+ with self.assertRaisesMessage(ValidationError, msg) as ctx:
+ clean_ipv6_address(addr, error_message=msg)
+ exception_traceback = StringIO()
+ traceback.print_exception(ctx.exception, file=exception_traceback)
+ self.assertIn(value_error_msg % addr, exception_traceback.getvalue())
From 67bb624b2d3099aee4d8d8bca8a004111bfabfaa Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Tue, 14 Jan 2025 09:01:22 -0300
Subject: [PATCH 6/6] [5.0.x] Bumped version for 5.0.11 release.
---
django/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/django/__init__.py b/django/__init__.py
index c90a5e1a5736..61d58b36fa79 100644
--- a/django/__init__.py
+++ b/django/__init__.py
@@ -1,6 +1,6 @@
from django.utils.version import get_version
-VERSION = (5, 0, 11, "alpha", 0)
+VERSION = (5, 0, 11, "final", 0)
__version__ = get_version(VERSION)