First Last Prev Next    This bug is not in your last search results.
Bug 1083305 - (CVE-2018-7537) VUL-0: CVE-2018-7537: python-Django: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters
(CVE-2018-7537)
VUL-0: CVE-2018-7537: python-Django: Denial-of-service possibility in truncat...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:NVD:CVE-2018-7537:5.0:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-28 13:50 UTC by Karol Babioch
Modified: 2022-07-27 09:45 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patches.tar.gz (4.49 KB, application/gzip)
2018-02-28 14:05 UTC, Karol Babioch 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Marcus Meissner 2018-03-12 10:15:18 UTC 
https://www.djangoproject.com/weblog/2018/mar/06/security-releases/


CVE-2018-7537: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters

If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

Thanks James Davis for reporting this issue.
Comment 5 Swamp Workflow Management 2018-03-19 08:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1083305) was mentioned in
https://build.opensuse.org/request/show/588436 Factory / python-Django
Comment 8 Swamp Workflow Management 2018-03-22 10:10:30 UTC 
This is an autogenerated message for OBS integration:
This bug (1083305) was mentioned in
https://build.opensuse.org/request/show/589964 42.3 / python-Django
Comment 9 Swamp Workflow Management 2018-03-23 21:30:32 UTC 
This is an autogenerated message for OBS integration:
This bug (1083305) was mentioned in
https://build.opensuse.org/request/show/590768 42.3 / python3-Django
Comment 10 Nanuk Krinner 2018-03-26 15:17:32 UTC 
@Rick: Updated packes in Devel:Cloud6 and Devel:Cloud:8 - no python-Django in Devel:Cloud:7.
Comment 11 Rick Salevsky 2018-03-26 15:21:32 UTC 
@Tom: Why don't we update Django in Cloud7?
Comment 12 Thomas Bechtold 2018-03-27 06:01:15 UTC 
(In reply to Rick Salevsky from comment #11)
> @Tom: Why don't we update Django in Cloud7?

We do. See https://build.suse.de/request/show/159529 . But looks like the package is not in Devel:Cloud:7 . You can copy it there
Comment 13 Swamp Workflow Management 2018-03-27 10:09:10 UTC 
openSUSE-SU-2018:0824-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999,968000
CVE References: CVE-2016-2048,CVE-2016-2512,CVE-2016-2513,CVE-2016-6186,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537
Sources used:
openSUSE Leap 42.3 (src):    python3-Django-1.8.19-5.3.1
Comment 14 Swamp Workflow Management 2018-03-27 10:11:34 UTC 
openSUSE-SU-2018:0826-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999,968000
CVE References: CVE-2016-2048,CVE-2016-2512,CVE-2016-2513,CVE-2016-6186,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537
Sources used:
openSUSE Leap 42.3 (src):    python-Django-1.8.19-6.4.1
Comment 15 Rick Salevsky 2018-03-28 11:37:20 UTC 
Updates got submitted, reassigning to security.
Comment 16 Swamp Workflow Management 2018-04-18 10:13:25 UTC 
SUSE-SU-2018:0973-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305
CVE References: CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537
Sources used:
SUSE OpenStack Cloud 7 (src):    python-Django-1.8.19-3.4.1
Comment 18 Swamp Workflow Management 2018-04-27 19:10:30 UTC 
SUSE-SU-2018:1102-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999
CVE References: CVE-2016-2512,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537
Sources used:
SUSE OpenStack Cloud 6 (src):    python-Django-1.8.19-3.6.1
Comment 21 Swamp Workflow Management 2018-06-27 16:12:11 UTC 
SUSE-SU-2018:1828-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1083304,1083305,967999
CVE References: CVE-2016-2512,CVE-2018-7536,CVE-2018-7537
Sources used:
SUSE Enterprise Storage 4 (src):    python-Django-1.6.11-5.5.1
Comment 22 Swamp Workflow Management 2018-06-27 19:08:53 UTC 
SUSE-SU-2018:1830-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1083304,1083305,967999
CVE References: CVE-2016-2512,CVE-2018-7536,CVE-2018-7537
Sources used:
SUSE Enterprise Storage 5 (src):    python-Django-1.6.11-6.5.1
Comment 23 Marcus Meissner 2018-09-07 12:46:00 UTC 
done
First Last Prev Next    This bug is not in your last search results.