Bug 1240526 (CVE-2015-5145)

Summary: CVE-2015-5145 Django: DoS via incorrect URL validation
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chrisw, dallan, gkotton, gmollett, lhh, lpeer, markmc, mrunge, rbryant, sclewis, security-response-team, tdecacqu, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 1.8.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-25 07:30:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1242350    
Bug Blocks: 1239014    
Attachments:
Description Flags
urlvalidator-1.8.x.diff
none
urlvalidator-master.diff
none
urlvalidator-1.8.x.diff
none
urlvalidator-master.diff none

Description Martin Prpič 2015-07-07 07:49:16 UTC 
The following flaw was found in Django:

'django.core.validators.URLValidator' included a regular expression that was extremely slow to evaluate against certain invalid inputs. This regular expression has been simplified and optimized.

This flaw has been fixed in Django version 1.8.3.

Acknowledgements:

Red Hat would like to thank the upstream Django project for reporting this issue.
Comment 1 Martin Prpič 2015-07-07 07:55:48 UTC 
Created attachment 1049118 [details]
urlvalidator-1.8.x.diff
Comment 2 Martin Prpič 2015-07-07 07:55:50 UTC 
Created attachment 1049119 [details]
urlvalidator-master.diff
Comment 3 Martin Prpič 2015-07-08 13:35:39 UTC 
Created attachment 1049882 [details]
urlvalidator-1.8.x.diff
Comment 4 Martin Prpič 2015-07-08 13:36:02 UTC 
Created attachment 1049883 [details]
urlvalidator-master.diff
Comment 5 Kurt Seifried 2015-07-09 04:38:19 UTC 
This is now public: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
Comment 7 Fedora Update System 2015-07-23 08:54:27 UTC 
python-django-1.8.3-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.