Bug 937524 (CVE-2015-5145)

Summary: VUL-1: CVE-2015-5145: python-django: Denial-of-service possibility in URL validation
Product: [openSUSE] openSUSE Tumbleweed Reporter: Andreas Stieger <astieger>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P4 - Low CC: smash_bz
Version: Current   
Target Milestone: Current   
Hardware: Other   
OS: openSUSE 13.2   
URL: https://smash.suse.de/issue/118500/
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2015-07-09 11:43:00 UTC
Denial-of-service possibility in URL validation

django.core.validators.URLValidator included a regular expression that was extremely slow to evaluate against certain inputs. This regular expression has been simplified and optimized.

Thanks João Silva and Ross Brunton for reporting the issue.

This issue has been assigned the identifier CVE-2015-5145.

Fixed in 1.8.3, not affecting 1.4,1.7.

Comment 1 Andreas Stieger 2015-07-09 14:34:20 UTC
Does not affect SLE.
Does not affect openSUSE 13.2.
openSUSE Factory is at 1.8.2, affected.
Comment 2 Swamp Workflow Management 2015-07-09 22:00:33 UTC
bugbot adjusting priority
Comment 3 Dirk Mueller 2015-07-10 10:17:02 UTC
submitted to Factory.
Comment 4 Bernhard Wiedemann 2015-07-10 11:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (937524) was mentioned in
https://build.opensuse.org/request/show/315825 Factory / python-Django
Comment 5 Andreas Stieger 2015-07-10 11:23:43 UTC
Comment 6 Swamp Workflow Management 2017-12-21 17:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (937524) was mentioned in
https://build.opensuse.org/request/show/559133 Factory / python-Django1