CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters ============================================================================ If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were passed the ``html=True`` argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The ``chars()`` and ``words()`` methods are used to implement the ``truncatechars_html`` and ``truncatewords_html`` template filters, which were thus vulnerable. The backtracking problem in the regular expression is fixed.
Acknowledgments: Name: the Django project
External References: https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1552178] Affects: epel-7 [bug 1552179] Created python-django16 tracking bugs for this issue: Affects: epel-7 [bug 1552177]
Statement: This issue affects the versions of django as shipped with Red Hat Subscription Asset Manager. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927
This issue has been addressed in the following products: Red Hat Gluster Storage 3.4 for RHEL 7 Via RHSA-2019:0265 https://access.redhat.com/errata/RHSA-2019:0265