Bug 937524 - (CVE-2015-5145) VUL-1: CVE-2015-5145: python-django: Denial-of-service possibility in URL validation
(CVE-2015-5145)
VUL-1: CVE-2015-5145: python-django: Denial-of-service possibility in URL val...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other openSUSE 13.2
: P4 - Low : Normal (vote)
: Current
Assigned To: Security Team bot
E-mail List
https://smash.suse.de/issue/118500/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-09 11:43 UTC by Andreas Stieger
Modified: 2020-05-04 07:45 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-07-09 11:43:00 UTC
https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
Denial-of-service possibility in URL validation

django.core.validators.URLValidator included a regular expression that was extremely slow to evaluate against certain inputs. This regular expression has been simplified and optimized.

Thanks João Silva and Ross Brunton for reporting the issue.

This issue has been assigned the identifier CVE-2015-5145.



Fixed in 1.8.3, not affecting 1.4,1.7.
https://github.com/django/django/commit/17d3a6d8044752f482453f5906026eaf12c39e8e


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1240526
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5145
Comment 1 Andreas Stieger 2015-07-09 14:34:20 UTC
Does not affect SLE.
Does not affect openSUSE 13.2.
openSUSE Factory is at 1.8.2, affected.
Comment 2 Swamp Workflow Management 2015-07-09 22:00:33 UTC
bugbot adjusting priority
Comment 3 Dirk Mueller 2015-07-10 10:17:02 UTC
submitted to Factory.
Comment 4 Bernhard Wiedemann 2015-07-10 11:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (937524) was mentioned in
https://build.opensuse.org/request/show/315825 Factory / python-Django
Comment 5 Andreas Stieger 2015-07-10 11:23:43 UTC
thanks
Comment 6 Swamp Workflow Management 2017-12-21 17:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (937524) was mentioned in
https://build.opensuse.org/request/show/559133 Factory / python-Django1