Bug 2266045 (CVE-2024-27351)

Summary: CVE-2024-27351 python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, apevec, bbuckingham, bcourt, caswilli, davidn, eglynn, ehelms, epacific, gtanzill, jcammara, jhardy, jjoyce, jmitchel, jneedle, jobarker, jschluet, jsherril, jtanner, jweng, kaycoth, kshier, lhh, lsvaty, lzap, mabashia, mburns, mgarciac, mhulan, mminar, nmoumoul, orabin, pcreech, pgrist, rbiba, rbobbitt, rchan, rhos-maint, security-response-team, simaishi, smcdonal, sskracic, stcannon, teagle, tfister, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---Flags: jjoyce: needinfo? (ybuenos)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-django 3.2.25, python-django 4.2.11, python-django 5.0.3 Doc Type: If docs needed, set a value
Doc Text:
An inefficient regular expression complexity flaw was found in the Truncator.words function and truncatewords_html filter of Django. This issue may allow an attacker to use a suitably crafted string to cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2266060, 2266061, 2267658, 2266059, 2266100, 2266101, 2267653, 2267654, 2267655, 2267656, 2267657, 2274544, 2274545, 2274546, 2274547    
Bug Blocks: 2266064    

Description ybuenos 2024-02-26 13:14:42 UTC 
You're receiving this message because you are on the security prenotification list for the Django web framework; information about this list can be 
found in our security policy [1].

In accordance with that policy, a set of security releases will be issued on Monday, March 4, 2024 around 900 UTC. This message contains descriptions
of the issue, descriptions of the changes which will be made to Django, and the patches which will be applied to Django.

``django.utils.text.Truncator.words()`` method (with ``html=True``) and
``truncatewords_html`` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to CVE-2019-14232 and CVE-2023-43665).

This issue has Moderate severity, according to the Django security policy [1].

Affected versions
=================

* Django 5.0
* Django 4.2
* Django 3.2

Resolution
==========

Included with this email are patches implementing the changes described above for each affected version of Django. On the release date, these patches 
will be applied to the Django development repository and the following releases will be issued along with disclosure of the issues:

* Django 5.0.3
* Django 4.2.11
* Django 3.2.25

[1] https://www.djangoproject.com/security/
Comment 7 Borja Tarraso 2024-03-04 09:27:09 UTC 
Created autotest-framework tracking bugs for this issue:

Affects: epel-all [bug 2267656]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 2267657]
Affects: fedora-all [bug 2267654]


Created python-django16 tracking bugs for this issue:

Affects: epel-all [bug 2267658]


Created python-django3 tracking bugs for this issue:

Affects: epel-all [bug 2267653]
Affects: fedora-all [bug 2267655]
Comment 8 errata-xmlrpc 2024-04-02 19:30:35 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640
Comment 11 errata-xmlrpc 2024-04-18 01:52:14 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878
Comment 12 errata-xmlrpc 2024-06-10 18:37:04 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781
Comment 13 errata-xmlrpc 2024-08-20 20:30:34 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:5662 https://access.redhat.com/errata/RHSA-2024:5662
Comment 16 errata-xmlrpc 2025-04-24 13:21:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2025:4187 https://access.redhat.com/errata/RHSA-2025:4187