1212742 – (CVE-2023-36053) VUL-0: CVE-2023-36053: python-Django Potential regular expression denial of service vulnerability in EmailValidator/URLValidator

Bug 1212742 (CVE-2023-36053) - VUL-0: CVE-2023-36053: python-Django Potential regular expression denial of service vulnerability in EmailValidator/URLValidator

Summary: VUL-0: CVE-2023-36053: python-Django Potential regular expression denial of s...

Status:	RESOLVED FIXED

Alias:	CVE-2023-36053

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/370504/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-36053:5.9:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-06-26 16:27 UTC by Carlos López
Modified:	2023-08-07 08:30 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Attached patches (15.00 KB, application/zip) 2023-06-26 16:27 UTC, Carlos López	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2023-06-26 16:27:20 UTC

Created attachment 867825 [details]
Attached patches

CVE-2023-36053: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator
===========================================================================================================

``EmailValidator`` and ``URLValidator`` were subject to potential regular
expression denial of service attack via a very large number of domain name
labels of emails and URLs.

This issue has Moderate severity, according to the Django security policy [1].

Affected versions
=================

* Django main development branch
* Django 4.2
* Django 4.1
* Django 3.2

Resolution
==========

Included with this email are patches implementing the changes described above
for each affected version of Django. On the release date, these patches will be
applied to the Django development repository and the following releases will be
issued along with disclosure of the issues:

* Django 4.2.3
* Django 4.1.10
* Django 3.2.20

Comment 3 Carlos López 2023-06-27 07:48:24 UTC

I'd say this affects all Django versions we support:
- SUSE:ALP:Source:Standard:1.0/python-Django
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django
- SUSE:SLE-15:Update/python-Django
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1

And for openSUSE:
- openSUSE:Backports:SLE-15-SP4:Update/python-Django
- openSUSE:Backports:SLE-15-SP5:Update/python-Django
- openSUSE:Factory/python-Django
- openSUSE:Backports:SLE-15-SP4:Update/python-Django1
- openSUSE:Backports:SLE-15-SP5:Update/python-Django1

Comment 4 Carlos López 2023-07-03 13:10:03 UTC

Public:
https://www.djangoproject.com/weblog/2023/jul/03/security-releases/

Comment 5 OBSbugzilla Bot 2023-07-10 11:55:05 UTC

This is an autogenerated message for OBS integration:
This bug (1212742) was mentioned in
https://build.opensuse.org/request/show/1097919 Backports:SLE-15-SP4 / python-Django

Comment 6 OBSbugzilla Bot 2023-07-10 12:35:02 UTC

This is an autogenerated message for OBS integration:
This bug (1212742) was mentioned in
https://build.opensuse.org/request/show/1097931 Backports:SLE-15-SP4 / python-Django1

Comment 7 OBSbugzilla Bot 2023-07-10 13:15:09 UTC

This is an autogenerated message for OBS integration:
This bug (1212742) was mentioned in
https://build.opensuse.org/request/show/1097960 Backports:SLE-15-SP5 / python-Django
https://build.opensuse.org/request/show/1097961 Backports:SLE-15-SP5 / python-Django1

Comment 9 Alberto Planas Dominguez 2023-07-10 14:09:53 UTC

All the code stream listed in c#3 should contain a version of the patch (or a full upgrade)

Comment 10 Alberto Planas Dominguez 2023-07-10 14:10:47 UTC

Moving back to security

Comment 12 Marcus Meissner 2023-07-11 16:05:29 UTC

openSUSE-SU-2023:0174-1: An update that fixes one vulnerability is now available.\n\nCategory: security (important)\nBug References: 1212742\nCVE References: CVE-2023-36053\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP4 (src):    python-Django-2.2.28-bp154.2.12.1\n\n

Comment 13 Marcus Meissner 2023-07-12 19:05:32 UTC

openSUSE-SU-2023:0177-1: An update that fixes one vulnerability is now available.\n\nCategory: security (important)\nBug References: 1212742\nCVE References: CVE-2023-36053\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP4 (src):    python-Django1-1.11.29-bp154.2.6.1\n\n

Comment 14 Marcus Meissner 2023-07-12 19:06:03 UTC

openSUSE-SU-2023:0176-1: An update that fixes one vulnerability is now available.\n\nCategory: security (important)\nBug References: 1212742\nCVE References: CVE-2023-36053\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP5 (src):    python-Django1-1.11.29-bp155.4.3.1\n\n

Comment 15 Marcus Meissner 2023-07-13 19:05:37 UTC

openSUSE-SU-2023:0178-1: An update that fixes four vulnerabilities is now available.\n\nCategory: security (moderate)\nBug References: 1203793,1207565,1208082,1212742\nCVE References: CVE-2022-41323,CVE-2023-23969,CVE-2023-24580,CVE-2023-36053\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP5 (src):    python-Django-2.2.28-bp155.7.3.1\n\n

Comment 16 Maintenance Automation 2023-07-14 21:42:54 UTC

SUSE-SU-2023:2839-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1210866, 1212742
CVE References: CVE-2023-31047, CVE-2023-36053
Sources used:
openSUSE Leap 15.5 (src): python-Django-2.0.7-150000.1.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Maintenance Automation 2023-08-02 16:30:04 UTC

SUSE-SU-2023:3167-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1212742
CVE References: CVE-2023-36053
Sources used:
HPE Helion OpenStack 8 (src): python-Django-1.11.29-3.48.1
SUSE OpenStack Cloud 8 (src): python-Django-1.11.29-3.48.1
SUSE OpenStack Cloud Crowbar 8 (src): python-Django-1.11.29-3.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Maintenance Automation 2023-08-07 08:30:02 UTC

SUSE-SU-2023:3202-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1212742
CVE References: CVE-2023-36053
Sources used:
SUSE OpenStack Cloud 9 (src): python-Django1-1.11.29-3.47.1
SUSE OpenStack Cloud Crowbar 9 (src): python-Django1-1.11.29-3.47.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.