https://www.djangoproject.com/weblog/2025/jan/14/security-releases/
In accordance with `our security release policy <https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team is issuing releases for `Django 5.1.5 <https://docs.djangoproject.com/en/dev/releases/5.1.5/>`_, `Django 5.0.11 <https://docs.djangoproject.com/en/dev/releases/5.0.11/>`_, and `Django 4.2.18 <https://docs.djangoproject.com/en/dev/releases/4.2.18/>`_. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation ============================================================================ Lack of upper bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were vulnerable, as was the ``django.forms.GenericIPAddressField`` form field, which has now been updated to define a ``max_length`` of 39 characters. The ``django.db.models.GenericIPAddressField`` model field was not affected. Thanks to Saravana Kumar for the report. This issue has severity "moderate" according to the Django security policy. Affected supported versions =========================== * Django main * Django 5.1 * Django 5.0 * Django 4.2 Resolution ========== Patches to resolve the issue have been applied to Django's main, 5.1, 5.0, and 4.2 branches. The patches may be obtained from the following changesets. CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation ---------------------------------------------------------------------------- * On the `main branch < https://github.com/django/django/commit/ca2be7724e1244a4cb723de40a070f873c6e94bf >`__ * On the `5.1 branch < https://github.com/django/django/commit/4806731e58f3e8700a3c802e77899d54ac6021fe >`__ * On the `5.0 branch < https://github.com/django/django/commit/e8d4a2005955dcf962193600b53bf461b190b455 >`__ * On the `4.2 branch < https://github.com/django/django/commit/ad866a1ca3e7d60da888d25d27e46a8adb2ed36e >`__ The following releases have been issued ======================================= * Django 5.1.5 (`download Django 5.1.5 <https://www.djangoproject.com/m/releases/5.1/Django-5.1.5.tar.gz>`_ | `5.1.5 checksums <https://www.djangoproject.com/m/pgp/Django-5.1.5.checksum.txt>`_) * Django 5.0.11 (`download Django 5.0.11 <https://www.djangoproject.com/m/releases/5.0/Django-5.0.11.tar.gz>`_ | `5.0.11 checksums <https://www.djangoproject.com/m/pgp/Django-5.0.11.checksum.txt>`_) * Django 4.2.18 (`download Django 4.2.18 <https://www.djangoproject.com/m/releases/4.2/Django-4.2.18.tar.gz>`_ | `4.2.18 checksums <https://www.djangoproject.com/m/pgp/Django-4.2.18.checksum.txt>`_) The PGP key ID used for this release is Natalia Bidart: `2EE82A8D9470983E < https://github.com/nessita.gpg>`_ General notes regarding security reporting ========================================== As always, we ask that potential security issues be reported via private email to ``secur...@djangoproject.com``, and not via Django's Trac instance, nor via the Django Forum, nor via the django-developers list. Please see `our security policies <https://www.djangoproject.com/security/>`_ for further information.
