Bug 528246 (CVE-2009-3695)

Summary: CVE-2009-3695 Django's forms DOS in 1.1/1.0
Product: [Other] Security Response Reporter: Steve Milner <smilner>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, michel, rpandit, security-response-team, smilner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.djangoproject.com/weblog/2009/oct/09/security/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-16 20:05:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steve Milner 2009-10-10 01:00:23 UTC 
This is a publicly known issue ...

Source: http://www.djangoproject.com/weblog/2009/oct/09/security/

"""
Description of vulnerability

Django's forms library included field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in this regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack.
Affected versions

Any Django application making use of EmailField or URLField in the following versions is vulnerable:

    * Django development trunk
    * Django 1.1
    * Django 1.0
"""

Currently F-11, F-10, EPEL-5 and EPEL-4 are Django-1.1-4. I've started to build the updated package.
Comment 1 Fedora Update System 2009-10-10 01:30:13 UTC 
Django-1.1.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/Django-1.1.1-1.fc11
Comment 2 Fedora Update System 2009-10-10 01:30:22 UTC 
Django-1.1.1-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/Django-1.1.1-1.el5
Comment 3 Fedora Update System 2009-10-10 01:30:30 UTC 
Django-1.1.1-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/Django-1.1.1-1.fc10
Comment 4 Fedora Update System 2009-10-10 01:30:38 UTC 
Django-1.1.1-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/Django-1.1.1-1.el4
Comment 5 Steve Milner 2009-10-10 01:58:40 UTC 
I've upgrade my own personal server to the EPEL-5 build with no issues so far.
Comment 6 Fedora Update System 2009-10-10 20:24:34 UTC 
Django-1.1.1-1.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update Django'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2009-0617
Comment 7 Fedora Update System 2009-10-10 20:25:32 UTC 
Django-1.1.1-1.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update Django'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0621
Comment 8 Michel Lind 2009-10-11 00:21:28 UTC 
Should this perhaps be pushed straight to stable?
Comment 9 Steve Milner 2009-10-12 13:29:37 UTC 
*** Bug 528442 has been marked as a duplicate of this bug. ***
Comment 10 Jan Lieskovsky 2009-10-13 13:02:58 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3695 to
the following vulnerability:

Algorithmic complexity vulnerability in the forms library in Django
1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause
a denial of service (CPU consumption) via a crafted (1) EmailField
(email address) or (2) URLField (URL) that triggers a large amount of
backtracking in a regular expression.

References:
-----------
http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457
http://www.djangoproject.com/weblog/2009/oct/09/security/
http://www.debian.org/security/2009/dsa-1905
http://www.securityfocus.com/bid/36655
http://secunia.com/advisories/36948
http://secunia.com/advisories/36968
http://www.vupen.com/english/advisories/2009/2871
http://xforce.iss.net/xforce/xfdb/53727
Comment 11 Fedora Update System 2009-10-15 22:34:35 UTC 
Django-1.1.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2009-10-15 22:34:49 UTC 
Django-1.1.1-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2009-10-16 19:30:39 UTC 
Django-1.1.1-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2009-10-16 19:33:54 UTC 
Django-1.1.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Steve Milner 2009-10-16 20:05:53 UTC 
F11, F10, EPEL-4 and EPEL-5 now are updated. Closing this bug.