Django

===========================

*September 4, 2023*

Django 3.2.21 fixes a security issue with severity "moderate" in 3.2.20.

CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``
===================================================================================================

``django.utils.encoding.uri_to_iri()`` was subject to potential denial of
service attack via certain inputs with a very large number of Unicode
characters.


===========================

===========================

*July 3, 2023*

Django 3.2.20 fixes a security issue with severity "moderate" in 3.2.19.

CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
===================================================================================================================

``EmailValidator`` and ``URLValidator`` were subject to potential regular
expression denial of service attack via a very large number of domain name
labels of emails and URLs.


===========================

===========================

*May 3, 2023*

Django 3.2.19 fixes a security issue with severity "low" in 3.2.18.

CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field
=================================================================================================

Uploading multiple files using one form field has never been supported by
:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last
uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files`
topic suggested otherwise.

In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput`
and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when
the ``multiple`` HTML attribute is set on them. To prevent the exception and
keep the old behavior, set ``allow_multiple_selected`` to ``True``.

For more details on using the new attribute and handling of multiple files
through a single field, see :ref:`uploading_multiple_files`.


===========================

===========================

*February 14, 2023*

Django 3.2.18 fixes a security issue with severity "moderate" in 3.2.17.

CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
=========================================================================

Passing certain inputs to multipart forms could result in too many open files
or memory exhaustion, and provided a potential vector for a denial-of-service
attack.

The number of files parts parsed is now limited via the new
:setting:`DATA_UPLOAD_MAX_NUMBER_FILES` setting.


===========================

===========================

*February 1, 2023*

Django 3.2.17 fixes a security issue with severity "moderate" in 3.2.16.

CVE-2023-23969: Potential denial-of-service via ``Accept-Language`` headers
===========================================================================

The parsed values of ``Accept-Language`` headers are cached in order to avoid
repetitive parsing. This leads to a potential denial-of-service vector via
excessive memory usage if large header values are sent.

In order to avoid this vulnerability, the ``Accept-Language`` header is now
parsed up to a maximum length.


===========================

===========================

*October 4, 2022*

Django 3.2.16 fixes a security issue with severity "medium" in 3.2.15.

CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
===================================================================================

Internationalized URLs were subject to potential denial of service attack via
the locale parameter.


===========================