CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters =========================================================================== The ``django.utils.html.urlize()`` function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (one regular expression for Django 1.8). The ``urlize()`` function is used to implement the ``urlize`` and ``urlizetrunc`` template filters, which were thus vulnerable. The problematic regular expressions are replaced with parsing logic that behaves similarly.
Acknowledgments: Name: the Django project
External References: https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1552178] Affects: epel-7 [bug 1552179] Created python-django16 tracking bugs for this issue: Affects: epel-7 [bug 1552177]
Statement: This issue affects the versions of django as shipped with Red Hat Subscription Asset Manager. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2019:0051 https://access.redhat.com/errata/RHSA-2019:0051
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2019:0082 https://access.redhat.com/errata/RHSA-2019:0082
This issue has been addressed in the following products: Red Hat Gluster Storage 3.4 for RHEL 7 Via RHSA-2019:0265 https://access.redhat.com/errata/RHSA-2019:0265