Bug 2218004 (CVE-2023-36053)

Summary: CVE-2023-36053 python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, amctagga, aoconnor, apevec, bbuckingham, bcourt, bniver, caswilli, cwelton, dhughes, eglynn, ehelms, epacific, flucifre, gmeno, gtanzill, jcammara, jhardy, jjoyce, jmitchel, jneedle, jobarker, jsherril, jtanner, kaycoth, kshier, lhh, lzap, mabashia, mbenjamin, mburns, mgarciac, mhackett, mhulan, mminar, myarboro, nmoumoul, nweather, orabin, pcreech, pgrist, rbiba, rchan, rhos-maint, security-response-team, simaishi, smcdonal, sostapov, sskracic, stcannon, teagle, tfister, vereddy, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-django 4.2.3, python-django 4.1.10, python-django 3.2.20 Doc Type: If docs needed, set a value
Doc Text:
A regular expression denial of service vulnerability has been found in Django. Email and URL validators are vulnerable to this flaw when processing a very large number of domain name labels of emails and URLs.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2218251, 2218252, 2218253, 2218254, 2218255, 2218256, 2218257, 2218258, 2218259, 2218261, 2218262, 2218263, 2218264, 2218265, 2218266, 2218268, 2218269, 2218270, 2218272, 2219379, 2219380, 2219381, 2219382, 2219383, 2238377    
Bug Blocks: 2218003    

Description Guilherme de Almeida Suckevicz 2023-06-27 19:24:07 UTC 
``EmailValidator`` and ``URLValidator`` were subject to potential regular expression denial of service attack via a very large number of domain name labels of emails and URLs.

Affected versions:
Django main development branch, Django 4.2, Django 4.1, Django 3.2
Comment 11 Guilherme de Almeida Suckevicz 2023-07-03 12:09:26 UTC 
Created python-django tracking bugs for this issue:

Affects: epel-all [bug 2219381]
Affects: fedora-all [bug 2219383]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 2219379]


Created python-django3 tracking bugs for this issue:

Affects: epel-8 [bug 2219380]
Affects: fedora-all [bug 2219382]
Comment 17 errata-xmlrpc 2023-08-21 17:04:51 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2023:4692 https://access.redhat.com/errata/RHSA-2023:4692
Comment 18 errata-xmlrpc 2023-08-21 21:49:39 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2023:4693 https://access.redhat.com/errata/RHSA-2023:4693
Comment 20 errata-xmlrpc 2023-10-19 13:13:10 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:5931 https://access.redhat.com/errata/RHSA-2023:5931
Comment 21 errata-xmlrpc 2023-11-08 14:17:25 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818
Comment 22 errata-xmlrpc 2024-01-16 14:35:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1

Via RHSA-2024:0212 https://access.redhat.com/errata/RHSA-2024:0212
Comment 26 errata-xmlrpc 2024-04-18 01:51:33 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878