|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2024-27351: python-Django: potential regular expression denial-of-service in ``django.utils.text.Truncator.words()`` | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Carlos López <carlos.lopez> |
| Component: | Incidents | Assignee: | Alberto Planas Dominguez <aplanas> |
| Status: | IN_PROGRESS --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | aplanas, daniel.garcia, gayane.osipyan, Gyee, mcepl, robert.simai, saweber |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/395115/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2024-27351:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | Attached patches | ||
This is an autogenerated message for OBS integration: This bug (1220358) was mentioned in https://build.opensuse.org/request/show/1156378 Backports:SLE-15-SP5 / python-Django https://build.opensuse.org/request/show/1156379 Backports:SLE-15-SP5 / python-Django1 openSUSE-SU-2024:0077-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1220358 CVE References: CVE-2024-27351 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): python-Django-2.2.28-bp155.7.9.1 openSUSE-SU-2024:0080-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1220358 CVE References: CVE-2024-27351 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): python-Django1-1.11.29-bp155.4.9.1 This is an autogenerated message for OBS integration: This bug (1220358) was mentioned in https://build.opensuse.org/request/show/1156259 Backports:SLE-15-SP6 / python-Django SUSE-SU-2024:0875-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1219683, 1220358 CVE References: CVE-2024-24680, CVE-2024-27351 Sources used: HPE Helion OpenStack 8 (src): python-Django-1.11.29-3.59.3, venv-openstack-horizon-hpe-12.0.5~dev6-14.54.4 SUSE OpenStack Cloud 8 (src): venv-openstack-horizon-12.0.5~dev6-14.54.5, python-Django-1.11.29-3.59.3 SUSE OpenStack Cloud Crowbar 8 (src): python-Django-1.11.29-3.59.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:0874-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1219683, 1220358 CVE References: CVE-2024-24680, CVE-2024-27351 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): python-Django1-1.11.29-3.58.3 SUSE OpenStack Cloud 9 (src): venv-openstack-horizon-14.1.1~dev11-4.51.4, python-Django1-1.11.29-3.58.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:0902-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1220358 CVE References: CVE-2024-27351 Sources used: openSUSE Leap 15.5 (src): python-Django-2.0.7-150000.1.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1141-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1220358 CVE References: CVE-2024-27351 Maintenance Incident: [SUSE:Maintenance:32991](https://smelt.suse.de/incident/32991/) Sources used: SUSE OpenStack Cloud 8 (src): python-Django-1.11.29-3.62.1, venv-openstack-horizon-12.0.5~dev6-14.56.1 SUSE OpenStack Cloud Crowbar 8 (src): python-Django-1.11.29-3.62.1 HPE Helion OpenStack 8 (src): python-Django-1.11.29-3.62.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.56.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1140-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1220358 CVE References: CVE-2024-27351 Maintenance Incident: [SUSE:Maintenance:32992](https://smelt.suse.de/incident/32992/) Sources used: SUSE OpenStack Cloud 9 (src): venv-openstack-horizon-14.1.1~dev11-4.53.1, python-Django1-1.11.29-3.61.1 SUSE OpenStack Cloud Crowbar 9 (src): python-Django1-1.11.29-3.61.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |
Created attachment 873000 [details] Attached patches VE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()`` ========================================================================================================= ``django.utils.text.Truncator.words()`` method (with ``html=True``) and ``truncatewords_html`` template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). This issue has Moderate severity, according to the Django security policy [1]. Affected versions ================= * Django 5.0 * Django 4.2 * Django 3.2 Resolution ========== Included with this email are patches implementing the changes described above for each affected version of Django. On the release date, these patches will be applied to the Django development repository and the following releases will be issued along with disclosure of the issues: * Django 5.0.3 * Django 4.2.11 * Django 3.2.25