This is a publicly known issue ... Source: http://www.djangoproject.com/weblog/2009/oct/09/security/ """ Description of vulnerability Django's forms library included field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in this regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack. Affected versions Any Django application making use of EmailField or URLField in the following versions is vulnerable: * Django development trunk * Django 1.1 * Django 1.0 """ Currently F-11, F-10, EPEL-5 and EPEL-4 are Django-1.1-4. I've started to build the updated package.
Django-1.1.1-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/Django-1.1.1-1.fc11
Django-1.1.1-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/Django-1.1.1-1.el5
Django-1.1.1-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/Django-1.1.1-1.fc10
Django-1.1.1-1.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/Django-1.1.1-1.el4
I've upgrade my own personal server to the EPEL-5 build with no issues so far.
Django-1.1.1-1.el4 has been pushed to the Fedora EPEL 4 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update Django'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2009-0617
Django-1.1.1-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update Django'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0621
Should this perhaps be pushed straight to stable?
*** Bug 528442 has been marked as a duplicate of this bug. ***
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3695 to the following vulnerability: Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression. References: ----------- http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457 http://www.djangoproject.com/weblog/2009/oct/09/security/ http://www.debian.org/security/2009/dsa-1905 http://www.securityfocus.com/bid/36655 http://secunia.com/advisories/36948 http://secunia.com/advisories/36968 http://www.vupen.com/english/advisories/2009/2871 http://xforce.iss.net/xforce/xfdb/53727
Django-1.1.1-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Django-1.1.1-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Django-1.1.1-1.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
Django-1.1.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
F11, F10, EPEL-4 and EPEL-5 now are updated. Closing this bug.