=========================== Django 1.8.19 release notes =========================== *March 6, 2018* Django 1.8.19 fixes two security issues in 1.18.18. CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters =============================================================================================== The ``django.utils.html.urlize()`` function was extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The ``urlize()`` function is used to implement the ``urlize`` and ``urlizetrunc`` template filters, which were thus vulnerable. The problematic regular expression is replaced with parsing logic that behaves similarly. CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters ================================================================================================================== If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were passed the ``html=True`` argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The ``chars()`` and ``words()`` methods are used to implement the ``truncatechars_html`` and ``truncatewords_html`` template filters, which were thus vulnerable. The backtracking problem in the regular expression is fixed.