Bug 1214667 - VUL-0: CVE-2023-41164: python-GitPython,python-Django,python-Django1: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri()
Summary: VUL-0: CVE-2023-41164: python-GitPython,python-Django,python-Django1: Potenti...
Status: NEW
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/376510/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-41164:6.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-08-28 07:35 UTC by Gianluca Gabrielli
Modified: 2023-10-09 15:22 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Upstream patches (7.61 KB, patch)
2023-08-28 07:35 UTC, Gianluca Gabrielli 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Simon Lees 2023-08-28 08:07:33 UTC 
Confirmed this should probably sit within the cloud team.
Comment 14 Maintenance Automation 2023-09-05 16:30:28 UTC 
SUSE-SU-2023:3533-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1214667
CVE References: CVE-2023-41164
Sources used:
SUSE OpenStack Cloud 9 (src): python-Django1-1.11.29-3.50.1
SUSE OpenStack Cloud Crowbar 9 (src): python-Django1-1.11.29-3.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2023-09-11 16:50:35 UTC 
SUSE-SU-2023:3580-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1214667
CVE References: CVE-2023-41164
Sources used:
HPE Helion OpenStack 8 (src): python-Django-1.11.29-3.51.1
SUSE OpenStack Cloud 8 (src): python-Django-1.11.29-3.51.1
SUSE OpenStack Cloud Crowbar 8 (src): python-Django-1.11.29-3.51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Gianluca Gabrielli 2023-09-12 07:26:15 UTC 
Public at https://www.djangoproject.com/weblog/2023/sep/04/security-releases/
---

CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri()
===============================================================================================

``django.utils.encoding.uri_to_iri()`` was subject to potential denial of
service attack via certain inputs with a very large number of Unicode
characters.

This issue has Moderate severity, according to the Django security policy [1].

Affected versions
=================

* Django main development branch
* Django 4.2
* Django 4.1
* Django 3.2

Resolution
==========

Included with this email are patches implementing the changes described above
for each affected version of Django. On the release date, these patches will be
applied to the Django development repository and the following releases will be
issued along with disclosure of the issues:

* Django 4.2.5
* Django 4.1.11
* Django 3.2.21