The Django project reports the following issue: """ Given a form that uses ``ModelMultipleChoiceField`` and ``show_hidden_initial=True`` (not a documented API), it was possible for a user to cause an unreasonable number of SQL queries by submitting duplicate values for the field's data. The validation logic in ``ModelMultipleChoiceField`` now deduplicates submitted values to address this issue. """ This issue is resolved in the upstream versions 1.7.3 and 1.6.10. Acknowledgements: Red Hat would like to thank the upstream Django project for reporting this issue.
Created attachment 977200 [details] mmc-dos-1.6.x.patch
Created attachment 977201 [details] mmc-dos-1.7.x.patch
Created attachment 977202 [details] mmc-dos-master.patch
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1181951] Affects: epel-7 [bug 1181952]
External References: https://www.djangoproject.com/weblog/2015/jan/13/security/
python-django-1.6.10-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
python-django14-1.4.18-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-django-1.6.10-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-django-1.6.10-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
all related bzs have been closed already.