Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.

Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
Felisiak for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

docs/ref/forms/fields.txt

@@ -761,7 +761,7 @@ For each field, we describe the default widget used if you don't specify
     * Empty value: ``''`` (an empty string)
     * Normalizes to: A string. IPv6 addresses are normalized as described below.
     * Validates that the given value is a valid IP address.
-    * Error message keys: ``required``, ``invalid``
+    * Error message keys: ``required``, ``invalid``, ``max_length``
 
     The IPv6 address normalization follows :rfc:`4291#section-2.2` section 2.2,
     including using the IPv4 format suggested in paragraph 3 of that section, like
@@ -769,7 +769,7 @@ For each field, we describe the default widget used if you don't specify
     ``2001::1``, and ``::ffff:0a0a:0a0a`` to ``::ffff:10.10.10.10``. All characters
     are converted to lowercase.
 
-    Takes two optional arguments:
+    Takes three optional arguments:
 
     .. attribute:: protocol
 
@@ -784,6 +784,15 @@ For each field, we describe the default widget used if you don't specify
         ``192.0.2.1``. Default is disabled. Can only be used
         when ``protocol`` is set to ``'both'``.
 
+    .. attribute:: max_length
+
+        Defaults to 39, and behaves the same way as it does for
+        :class:`CharField`.
+
+    .. versionchanged:: 4.2.18
+
+        The default value for ``max_length`` was set to 39 characters.
+
 ``ImageField``
 --------------
 

docs/releases/4.2.18.txt

@@ -5,3 +5,15 @@ Django 4.2.18 release notes
 *January 14, 2025*
 
 Django 4.2.18 fixes a security issue with severity "moderate" in 4.2.17.
+
+CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
+============================================================================
+
+Lack of upper bound limit enforcement in strings passed when performing IPv6
+validation could lead to a potential denial-of-service attack. The undocumented
+and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
+vulnerable, as was the  :class:`django.forms.GenericIPAddressField` form field,
+which has now been updated to define a ``max_length`` of 39 characters.
+
+The :class:`django.db.models.GenericIPAddressField` model field was not
+affected.

docs/releases/5.0.11.txt

@@ -5,3 +5,15 @@ Django 5.0.11 release notes
 *January 14, 2025*
 
 Django 5.0.11 fixes a security issue with severity "moderate" in 5.0.10.
+
+CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
+============================================================================
+
+Lack of upper bound limit enforcement in strings passed when performing IPv6
+validation could lead to a potential denial-of-service attack. The undocumented
+and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
+vulnerable, as was the  :class:`django.forms.GenericIPAddressField` form field,
+which has now been updated to define a ``max_length`` of 39 characters.
+
+The :class:`django.db.models.GenericIPAddressField` model field was not
+affected.

docs/releases/5.1.5.txt

@@ -7,6 +7,18 @@ Django 5.1.5 release notes
 Django 5.1.5 fixes a security issue with severity "moderate" and one bug in
 5.1.4.
 
+CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
+============================================================================
+
+Lack of upper bound limit enforcement in strings passed when performing IPv6
+validation could lead to a potential denial-of-service attack. The undocumented
+and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
+vulnerable, as was the  :class:`django.forms.GenericIPAddressField` form field,
+which has now been updated to define a ``max_length`` of 39 characters.
+
+The :class:`django.db.models.GenericIPAddressField` model field was not
+affected.
+
 Bugfixes
 ========