Bug 1203793 - (CVE-2022-41323) VUL-0: CVE-2022-41323: python-Django: potential denial-of-service vulnerability in internationalized URLs
(CVE-2022-41323)
VUL-0: CVE-2022-41323: python-Django: potential denial-of-service vulnerabili...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Alberto Planas Dominguez
Security Team bot
https://smash.suse.de/issue/343663/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-09-27 12:10 UTC by Carlos López
Modified: 2023-02-02 16:35 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
main branch patch (3.26 KB, patch)
2022-09-27 12:17 UTC, Carlos López
Details | Diff
4.1.x patch (3.27 KB, patch)
2022-09-27 12:17 UTC, Carlos López
Details | Diff
4.0.x patch (2.74 KB, patch)
2022-09-27 12:18 UTC, Carlos López
Details | Diff
3.2.x patch (2.16 KB, patch)
2022-09-27 12:18 UTC, Carlos López
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-09-27 12:10:18 UTC
Internationalized URLs were subject to potential denial of service attack via the locale parameter. This is now escaped to avoid this possibility.

Affected versions
=================

* Django main development branch
* Django 4.1
* Django 4.0
* Django 3.2

Resolution
==========

Included with this email are patches implementing the changes described above for each affected version of Django. On the release date, these patches will be applied to the Django development repository and the following releases will be issued along with disclosure of the issues:

* Django 4.1.2
* Django 4.0.8
* Django 3.2.16
Comment 3 Carlos López 2022-09-27 12:14:38 UTC
This affects:
- openSUSE:Backports:SLE-15-SP3/python-Django
- openSUSE:Backports:SLE-15-SP4/python-Django
- openSUSE:Factory/python-Django
Comment 4 Carlos López 2022-09-27 12:17:17 UTC
Created attachment 861765 [details]
main branch patch
Comment 5 Carlos López 2022-09-27 12:17:47 UTC
Created attachment 861766 [details]
4.1.x patch
Comment 6 Carlos López 2022-09-27 12:18:09 UTC
Created attachment 861767 [details]
4.0.x patch
Comment 7 Carlos López 2022-09-27 12:18:47 UTC
Created attachment 861768 [details]
3.2.x patch
Comment 9 Alberto Planas Dominguez 2022-10-04 10:53:27 UTC
All the SR / MR should be in place
Comment 10 OBSbugzilla Bot 2022-10-04 11:25:06 UTC
This is an autogenerated message for OBS integration:
This bug (1203793) was mentioned in
https://build.opensuse.org/request/show/1007887 Backports:SLE-15-SP3 / python-Django
https://build.opensuse.org/request/show/1007888 Backports:SLE-15-SP4 / python-Django
Comment 11 Swamp Workflow Management 2023-01-03 14:23:36 UTC
openSUSE-SU-2023:0005-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1185713,1186608,1186611,1193240,1194115,1194116,1194117,1195086,1195088,1198297,1198398,1198399,1201923,1203793
CVE References: CVE-2021-32052,CVE-2021-33203,CVE-2021-33571,CVE-2021-44420,CVE-2021-45115,CVE-2021-45116,CVE-2021-45452,CVE-2022-22818,CVE-2022-23833,CVE-2022-28346,CVE-2022-28347,CVE-2022-36359,CVE-2022-41323
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    python-Django-2.2.28-bp153.2.3.1
Comment 12 OBSbugzilla Bot 2023-02-02 16:35:02 UTC
This is an autogenerated message for OBS integration:
This bug (1203793) was mentioned in
https://build.opensuse.org/request/show/1062680 Backports:SLE-15-SP4 / python-Django