Bugzilla – Bug 1216590
VUL-0: CVE-2023-46695: python-Django: Potential denial of service vulnerability in ``UsernameField`` on Windows
Last modified: 2023-11-02 12:09:56 UTC
CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows ========================================================================================= The NFKC normalization is slow on Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was subject to a potential denial of service attack via certain inputs with a very large number of Unicode characters. In order to avoid the vulnerability, invalid values longer than ``UsernameField.max_length`` are no longer normalized, since they cannot pass validation anyway. This issue has Moderate severity, according to the Django security policy [1]. Affected versions ================= * Django main development branch * Django 5.0 (currently at beta status) * Django 4.2 * Django 4.1 * Django 3.2 Resolution ========== Included with this email are patches implementing the changes described above for each affected version of Django. On the release date, these patches will be applied to the Django development repository and the following releases will be issued along with disclosure of the issues: * Django 4.2.7 * Django 4.1.13 * Django 3.2.23
Windows only, we are not affected.
is public https://seclists.org/oss-sec/2023/q4/199