Bug 1220358 (CVE-2024-27351) - VUL-0: CVE-2024-27351: python-Django: potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
Summary: VUL-0: CVE-2024-27351: python-Django: potential regular expression denial-of-...
Status: IN_PROGRESS
Alias: CVE-2024-27351
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Alberto Planas Dominguez
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/395115/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-27351:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-26 12:41 UTC by Carlos López
Modified: 2024-05-08 09:30 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Attached patches (6.94 KB, application/zip)
2024-02-26 12:41 UTC, Carlos López 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2024-02-26 12:41:38 UTC 
Created attachment 873000 [details]
Attached patches

VE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
=========================================================================================================

``django.utils.text.Truncator.words()`` method (with ``html=True``) and
``truncatewords_html`` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to CVE-2019-14232 and CVE-2023-43665).

This issue has Moderate severity, according to the Django security policy [1].

Affected versions
=================

* Django 5.0
* Django 4.2
* Django 3.2

Resolution
==========

Included with this email are patches implementing the changes described above
for each affected version of Django. On the release date, these patches will be
applied to the Django development repository and the following releases will be
issued along with disclosure of the issues:

* Django 5.0.3
* Django 4.2.11
* Django 3.2.25
Comment 12 Carlos López 2024-03-04 14:00:22 UTC 
Public:
https://www.openwall.com/lists/oss-security/2024/03/04/1
Comment 13 OBSbugzilla Bot 2024-03-08 15:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1220358) was mentioned in
https://build.opensuse.org/request/show/1156378 Backports:SLE-15-SP5 / python-Django
https://build.opensuse.org/request/show/1156379 Backports:SLE-15-SP5 / python-Django1
Comment 16 Marcus Meissner 2024-03-11 14:05:36 UTC 
openSUSE-SU-2024:0077-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1220358
CVE References: CVE-2024-27351
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    python-Django-2.2.28-bp155.7.9.1
Comment 17 Marcus Meissner 2024-03-11 23:04:54 UTC 
openSUSE-SU-2024:0080-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1220358
CVE References: CVE-2024-27351
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    python-Django1-1.11.29-bp155.4.9.1
Comment 18 OBSbugzilla Bot 2024-03-12 11:35:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1220358) was mentioned in
https://build.opensuse.org/request/show/1156259 Backports:SLE-15-SP6 / python-Django
Comment 19 Maintenance Automation 2024-03-13 16:30:07 UTC 
SUSE-SU-2024:0875-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1219683, 1220358
CVE References: CVE-2024-24680, CVE-2024-27351
Sources used:
HPE Helion OpenStack 8 (src): python-Django-1.11.29-3.59.3, venv-openstack-horizon-hpe-12.0.5~dev6-14.54.4
SUSE OpenStack Cloud 8 (src): venv-openstack-horizon-12.0.5~dev6-14.54.5, python-Django-1.11.29-3.59.3
SUSE OpenStack Cloud Crowbar 8 (src): python-Django-1.11.29-3.59.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2024-03-13 16:30:10 UTC 
SUSE-SU-2024:0874-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1219683, 1220358
CVE References: CVE-2024-24680, CVE-2024-27351
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src): python-Django1-1.11.29-3.58.3
SUSE OpenStack Cloud 9 (src): venv-openstack-horizon-14.1.1~dev11-4.51.4, python-Django1-1.11.29-3.58.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Maintenance Automation 2024-03-14 20:30:02 UTC 
SUSE-SU-2024:0902-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1220358
CVE References: CVE-2024-27351
Sources used:
openSUSE Leap 15.5 (src): python-Django-2.0.7-150000.1.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Maintenance Automation 2024-04-08 12:30:53 UTC 
SUSE-SU-2024:1141-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1220358
CVE References: CVE-2024-27351
Maintenance Incident: [SUSE:Maintenance:32991](https://smelt.suse.de/incident/32991/)
Sources used:
SUSE OpenStack Cloud 8 (src):
 python-Django-1.11.29-3.62.1, venv-openstack-horizon-12.0.5~dev6-14.56.1
SUSE OpenStack Cloud Crowbar 8 (src):
 python-Django-1.11.29-3.62.1
HPE Helion OpenStack 8 (src):
 python-Django-1.11.29-3.62.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.56.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Maintenance Automation 2024-04-08 12:30:55 UTC 
SUSE-SU-2024:1140-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1220358
CVE References: CVE-2024-27351
Maintenance Incident: [SUSE:Maintenance:32992](https://smelt.suse.de/incident/32992/)
Sources used:
SUSE OpenStack Cloud 9 (src):
 venv-openstack-horizon-14.1.1~dev11-4.53.1, python-Django1-1.11.29-3.61.1
SUSE OpenStack Cloud Crowbar 9 (src):
 python-Django1-1.11.29-3.61.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.