Bug 528246 (CVE-2009-3695) - CVE-2009-3695 Django's forms DOS in 1.1/1.0
Summary: CVE-2009-3695 Django's forms DOS in 1.1/1.0
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2009-3695
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.djangoproject.com/weblog/2...
Whiteboard:
: 528442 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-10 01:00 UTC by Steve Milner
Modified: 2009-10-16 20:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-16 20:05:53 UTC


Attachments (Terms of Use)

Description Steve Milner 2009-10-10 01:00:23 UTC
This is a publicly known issue ...

Source: http://www.djangoproject.com/weblog/2009/oct/09/security/

"""
Description of vulnerability

Django's forms library included field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in this regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack.
Affected versions

Any Django application making use of EmailField or URLField in the following versions is vulnerable:

    * Django development trunk
    * Django 1.1
    * Django 1.0
"""

Currently F-11, F-10, EPEL-5 and EPEL-4 are Django-1.1-4. I've started to build the updated package.

Comment 1 Fedora Update System 2009-10-10 01:30:13 UTC
Django-1.1.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/Django-1.1.1-1.fc11

Comment 2 Fedora Update System 2009-10-10 01:30:22 UTC
Django-1.1.1-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/Django-1.1.1-1.el5

Comment 3 Fedora Update System 2009-10-10 01:30:30 UTC
Django-1.1.1-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/Django-1.1.1-1.fc10

Comment 4 Fedora Update System 2009-10-10 01:30:38 UTC
Django-1.1.1-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/Django-1.1.1-1.el4

Comment 5 Steve Milner 2009-10-10 01:58:40 UTC
I've upgrade my own personal server to the EPEL-5 build with no issues so far.

Comment 6 Fedora Update System 2009-10-10 20:24:34 UTC
Django-1.1.1-1.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update Django'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2009-0617

Comment 7 Fedora Update System 2009-10-10 20:25:32 UTC
Django-1.1.1-1.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update Django'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0621

Comment 8 Michel Alexandre Salim 2009-10-11 00:21:28 UTC
Should this perhaps be pushed straight to stable?

Comment 9 Steve Milner 2009-10-12 13:29:37 UTC
*** Bug 528442 has been marked as a duplicate of this bug. ***

Comment 10 Jan Lieskovsky 2009-10-13 13:02:58 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3695 to
the following vulnerability:

Algorithmic complexity vulnerability in the forms library in Django
1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause
a denial of service (CPU consumption) via a crafted (1) EmailField
(email address) or (2) URLField (URL) that triggers a large amount of
backtracking in a regular expression.

References:
-----------
http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457
http://www.djangoproject.com/weblog/2009/oct/09/security/
http://www.debian.org/security/2009/dsa-1905
http://www.securityfocus.com/bid/36655
http://secunia.com/advisories/36948
http://secunia.com/advisories/36968
http://www.vupen.com/english/advisories/2009/2871
http://xforce.iss.net/xforce/xfdb/53727

Comment 11 Fedora Update System 2009-10-15 22:34:35 UTC
Django-1.1.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2009-10-15 22:34:49 UTC
Django-1.1.1-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2009-10-16 19:30:39 UTC
Django-1.1.1-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2009-10-16 19:33:54 UTC
Django-1.1.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Steve Milner 2009-10-16 20:05:53 UTC
F11, F10, EPEL-4 and EPEL-5 now are updated. Closing this bug.


Note You need to log in before you can comment on or make changes to this bug.