Bug 1216590 (CVE-2023-46695)

Summary:	VUL-0: CVE-2023-46695: python-Django: Potential denial of service vulnerability in ``UsernameField`` on Windows
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Carlos López <carlos.lopez>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P5 - None	CC:	cloud-bugs, gianluca.gabrielli, meissner, robert.simai
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Carlos López 2023-10-26 07:40:04 UTC

CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
=========================================================================================

The NFKC normalization is slow on Windows. As a consequence,
``django.contrib.auth.forms.UsernameField`` was subject to a potential denial
of service attack via certain inputs with a very large number of Unicode
characters.

In order to avoid the vulnerability, invalid values longer than
``UsernameField.max_length`` are no longer normalized, since they cannot pass
validation anyway.

This issue has Moderate severity, according to the Django security policy [1].

Affected versions
=================

* Django main development branch
* Django 5.0 (currently at beta status)
* Django 4.2
* Django 4.1
* Django 3.2

Resolution
==========

Included with this email are patches implementing the changes described above
for each affected version of Django. On the release date, these patches will be
applied to the Django development repository and the following releases will be
issued along with disclosure of the issues:

* Django 4.2.7
* Django 4.1.13
* Django 3.2.23

Comment 2 Carlos López 2023-10-26 07:41:51 UTC

Windows only, we are not affected.

Comment 3 Marcus Meissner 2023-11-02 10:56:55 UTC

is public

https://seclists.org/oss-sec/2023/q4/199