Bug 937524 (CVE-2015-5145)

Summary: VUL-1: CVE-2015-5145: python-django: Denial-of-service possibility in URL validation
Product: [openSUSE] openSUSE Tumbleweed Reporter: Andreas Stieger <astieger>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P4 - Low CC: smash_bz
Version: Current   
Target Milestone: Current   
Hardware: Other   
OS: openSUSE 13.2   
URL: https://smash.suse.de/issue/118500/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2015-07-09 11:43:00 UTC
https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
Denial-of-service possibility in URL validation

django.core.validators.URLValidator included a regular expression that was extremely slow to evaluate against certain inputs. This regular expression has been simplified and optimized.

Thanks João Silva and Ross Brunton for reporting the issue.

This issue has been assigned the identifier CVE-2015-5145.



Fixed in 1.8.3, not affecting 1.4,1.7.
https://github.com/django/django/commit/17d3a6d8044752f482453f5906026eaf12c39e8e


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1240526
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5145
Comment 1 Andreas Stieger 2015-07-09 14:34:20 UTC
Does not affect SLE.
Does not affect openSUSE 13.2.
openSUSE Factory is at 1.8.2, affected.
Comment 2 Swamp Workflow Management 2015-07-09 22:00:33 UTC
bugbot adjusting priority
Comment 3 Dirk Mueller 2015-07-10 10:17:02 UTC
submitted to Factory.
Comment 4 Bernhard Wiedemann 2015-07-10 11:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (937524) was mentioned in
https://build.opensuse.org/request/show/315825 Factory / python-Django
Comment 5 Andreas Stieger 2015-07-10 11:23:43 UTC
thanks
Comment 6 Swamp Workflow Management 2017-12-21 17:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (937524) was mentioned in
https://build.opensuse.org/request/show/559133 Factory / python-Django1