Bug 1215978 (CVE-2023-43665)

Summary: VUL-0: CVE-2023-43665: python-Django,python-Django1: Denial-of-service possibility in django.utils.text.Truncator
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: daniel.garcia, gabriele.sonnu, python-maintainers, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/380830/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-43665:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-05 14:13:46 UTC 
From oss-security:

----
CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator
============================================================================

Following the fix for CVE-2019-14232, the regular expressions used in the implementation of ``django.utils.text.Truncator``’s ``chars()`` and
``words()`` methods (with ``html=True``) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability.

The ``chars()`` and ``words()`` methods are used to implement the ``truncatechars_html`` and ``truncatewords_html`` template filters,  hich were thus also vulnerable.

The input processed by ``Truncator``, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues.

Thanks Wenchao Li of Alibaba Group for the report.

This issue has severity "moderate" according to the Django security policy.

References:
https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
https://www.openwall.com/lists/oss-security/2023/10/04/6
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43665
Comment 2 OBSbugzilla Bot 2023-10-16 09:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1215978) was mentioned in
https://build.opensuse.org/request/show/1117946 Factory / python-Django
Comment 5 OBSbugzilla Bot 2023-10-16 12:25:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1215978) was mentioned in
https://build.opensuse.org/request/show/1117998 Backports:SLE-15-SP4 / python-Django
https://build.opensuse.org/request/show/1118000 Backports:SLE-15-SP5 / python-Django
https://build.opensuse.org/request/show/1118004 Backports:SLE-15-SP4 / python-Django1
https://build.opensuse.org/request/show/1118005 Backports:SLE-15-SP5 / python-Django1
Comment 6 Maintenance Automation 2023-10-17 08:30:08 UTC 
SUSE-SU-2023:4092-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1215978
CVE References: CVE-2023-43665
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Marcus Meissner 2023-10-21 01:05:14 UTC 
openSUSE-SU-2023:0309-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1215978
CVE References: CVE-2023-43665
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    python-Django-2.2.28-bp155.7.6.1
Comment 8 Marcus Meissner 2023-10-21 01:05:32 UTC 
openSUSE-SU-2023:0310-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1215978
CVE References: CVE-2023-43665
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    python-Django-2.2.28-bp154.2.15.1
Comment 9 Maintenance Automation 2023-10-27 16:30:02 UTC 
SUSE-SU-2023:4232-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1215978
CVE References: CVE-2023-43665
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src): python-Django-1.11.29-3.54.1
HPE Helion OpenStack 8 (src): python-Django-1.11.29-3.54.1
SUSE OpenStack Cloud 8 (src): python-Django-1.11.29-3.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-11-13 16:30:08 UTC 
SUSE-SU-2023:4426-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1215978
CVE References: CVE-2023-43665
Sources used:
SUSE OpenStack Cloud 9 (src): python-Django1-1.11.29-3.53.1
SUSE OpenStack Cloud Crowbar 9 (src): python-Django1-1.11.29-3.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Marcus Meissner 2023-12-04 20:04:54 UTC 
openSUSE-SU-2023:0390-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1215978
CVE References: CVE-2023-43665
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    python-Django1-1.11.29-bp155.4.6.1
Comment 13 Marcus Meissner 2023-12-04 20:05:12 UTC 
openSUSE-SU-2023:0389-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1215978
CVE References: CVE-2023-43665
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    python-Django1-1.11.29-bp154.2.9.1