Bug 2309746

Summary: CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize()
Product: [Fedora] Fedora Reporter: Michel Lind <michel>
Component: python-djangoAssignee: Michel Lind <michel>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: aekoroglu, mhroncok, michel, mrunge, rdopiera, sgallagh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
URL: https://www.djangoproject.com/weblog/2024/sep/03/security-releases/
Whiteboard:
Fixed In Version: python-django-4.2.16-1.fc42 python-django-4.2.16-1.fc39 python-django-4.2.16-1.fc40 python-django-4.2.16-1.fc41 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-09-04 23:07:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2270473    
Bug Blocks:    

Description Michel Lind 2024-09-04 16:01:44 UTC 
urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

This issue has severity "moderate" according to the Django security policy.

Reproducible: Always
Comment 1 Fedora Update System 2024-09-04 23:05:05 UTC 
FEDORA-2024-32f24f7a71 (python-django-4.2.16-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-32f24f7a71
Comment 2 Fedora Update System 2024-09-04 23:07:30 UTC 
FEDORA-2024-32f24f7a71 (python-django-4.2.16-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 3 Fedora Update System 2024-09-05 04:00:00 UTC 
FEDORA-2024-4a08381122 (python-django-4.2.16-1.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-4a08381122
Comment 4 Fedora Update System 2024-09-05 04:00:01 UTC 
FEDORA-2024-e2bde0853b (python-django-4.2.16-1.fc39) has been submitted as an update to Fedora 39.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-e2bde0853b
Comment 5 Fedora Update System 2024-09-05 04:00:02 UTC 
FEDORA-2024-396c94f0a3 (python-django-4.2.16-1.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-396c94f0a3
Comment 6 Fedora Update System 2024-09-06 03:53:17 UTC 
FEDORA-2024-e2bde0853b (python-django-4.2.16-1.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 7 Fedora Update System 2024-09-06 03:59:50 UTC 
FEDORA-2024-396c94f0a3 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-396c94f0a3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-396c94f0a3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2024-09-06 04:03:30 UTC 
FEDORA-2024-4a08381122 (python-django-4.2.16-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2024-09-13 20:51:48 UTC 
FEDORA-2024-396c94f0a3 (python-django-4.2.16-1.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.