Bug 2337996 (CVE-2024-56374)

Summary: CVE-2024-56374 django: potential denial-of-service vulnerability in IPv6 validation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anthomas, apevec, brasmith, brking, carogers, caswilli, cochase, dnakabaa, dranck, eglynn, ehelms, erezende, ggainey, gtanzill, haoli, hkataria, jajackso, jcammara, jjoyce, jmitchel, jneedle, joehler, jschluet, jtanner, juwatts, jwong, kaycoth, kegrant, kholdawa, koliveir, kshier, lbrazdil, lcouzens, lhh, lsvaty, mabashia, mburns, mgarciac, mhulan, mminar, mskarbek, nmoumoul, omaciel, osousa, pbraun, pcreech, pgrist, rbiba, rchan, rgatica, rhos-maint, risantam, selvakumar_eswaran, shvarugh, simaishi, smallamp, smcdonal, sskracic, stcannon, teagle, tfister, thavo, tmalecek, tpfromme, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---Flags: selvakumar_eswaran: needinfo? (bzimport)
selvakumar_eswaran: needinfo? (rgatica)
selvakumar_eswaran: needinfo? (bzimport)
selvakumar_eswaran: needinfo? (rgatica)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Django framework. Lack of upper bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial of service attack. The undocumented and private functions `clean_ipv6_address` and `is_valid_ipv6_address` were vulnerable, as was the `django.forms.GenericIPAddressField` form field, which has now been updated to define a `max_length` of 39 characters.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2338041, 2338042, 2338043    
Bug Blocks:    

Description OSIDB Bzimport 2025-01-14 20:01:34 UTC 
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)
Comment 3 errata-xmlrpc 2025-01-27 22:41:13 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2025:0722 https://access.redhat.com/errata/RHSA-2025:0722
Comment 4 errata-xmlrpc 2025-01-28 19:17:13 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2025:0777 https://access.redhat.com/errata/RHSA-2025:0777
Comment 5 errata-xmlrpc 2025-01-28 22:39:46 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2025:0782 https://access.redhat.com/errata/RHSA-2025:0782
Comment 6 errata-xmlrpc 2025-03-05 14:27:33 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.16 for RHEL 8
  Red Hat Satellite 6.16 for RHEL 9

Via RHSA-2025:2399 https://access.redhat.com/errata/RHSA-2025:2399
Comment 7 Selva 2025-03-18 09:11:45 UTC 
Hi 

Redhat Ansible Automation Hub affected by CVE-2024-56374 ??  

As security scanner flagged the following.

Path              : /usr/lib/python3.9/site-packages/Django-4.2.16-py3.9.egg-info/Django
  Installed version : 4.2.16
  Fixed version     : 4.2.18

RHEL OS: RHEL 8.10
Ansible Automation Platform version : 2.4 
Ansible Automation Hub : 4.9.2
Comment 8 Selva 2025-03-18 09:14:22 UTC 
Hi 

Redhat Ansible Automation Hub affected by CVE-2024-56374 ??  

As security scanner flagged the following.

Path              : /usr/lib/python3.9/site-packages/Django-4.2.16-py3.9.egg-info/Django
  Installed version : 4.2.16
  Fixed version     : 4.2.18

RHEL OS: RHEL 8.10
Ansible Automation Platform version : 2.4 
Ansible Automation Hub : 4.9.2
Comment 9 Selva 2025-03-18 09:14:53 UTC 
Hi 

Redhat Ansible Automation Hub affected by CVE-2024-56374 ??  

As security scanner flagged the following.

Path              : /usr/lib/python3.9/site-packages/Django-4.2.16-py3.9.egg-info/Django
  Installed version : 4.2.16
  Fixed version     : 4.2.18

RHEL OS: RHEL 8.10
Ansible Automation Platform version : 2.4 
Ansible Automation Hub : 4.9.2
Comment 10 Ricardo Santamaria 2025-04-22 18:49:30 UTC 
Per comment #6 and 

 Red Hat Satellite 6.16 for RHEL 8 Via RHSA-2025:2399 https://access.redhat.com/errata/RHSA-2025:2399

Can this be backported for Satellite 6.15 for RHEL 8? What may be the timeline for that to occur?