<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Mariusz Felisiak <felisiak.mariusz () gmail com>
Date: Mon, 4 Mar 2024 10:06:50 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
https://www.djangoproject.com/weblog/2024/mar/04/security-releases/
In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the
Django team
is issuing
`Django 5.0.3 <https://docs.djangoproject.com/en/dev/releases/5.0.3/>`_,
`Django 4.2.11
<https://docs.djangoproject.com/en/dev/releases/4.2.11/>`_, and
`Django 3.2.25 <https://docs.djangoproject.com/en/dev/releases/3.2.25/>`_.
These releases addresses the security issue detailed below. We encourage all
users of Django to upgrade as soon as possible.
CVE-2024-27351: Potential regular expression denial-of-service in
``django.utils.text.Truncator.words()``
=========================================================================================================
``django.utils.text.Truncator.words()`` method (with ``html=True``) and
``truncatewords_html`` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to CVE-2019-14232 and CVE-2023-43665).
Thanks Seokchan Yoon for the report.
This issue has severity "moderate" according to the Django security policy.
Affected supported versions
===========================
* Django 5.0
* Django 4.2
* Django 3.2
Resolution
==========
Patches to resolve the issue have been applied to the 5.0, 4.2, and 3.2
release branches. The patches may be obtained from the following changesets:
* On the `5.0 release branch
<https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e>`__
* On the `4.2 release branch
<https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a>`__
* On the `3.2 release branch
<https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521>`__
The following releases have been issued:
* Django 5.0.3 (`download Django 5.0.3
<https://www.djangoproject.com/m/releases/5.0/Django-5.0.3.tar.gz>`_ |
`5.0.3 checksums
<https://www.djangoproject.com/m/pgp/Django-5.0.3.checksum.txt>`_)
* Django 4.2.11 (`download Django 4.2.11
<https://www.djangoproject.com/m/releases/4.2/Django-4.2.11.tar.gz>`_ |
`4.2.11 checksums
<https://www.djangoproject.com/m/pgp/Django-4.2.11.checksum.txt>`_)
* Django 3.2.25 (`download Django 3.2.25
<https://www.djangoproject.com/m/releases/3.2/Django-3.2.25.tar.gz>`_ |
`3.2.25 checksums
<https://www.djangoproject.com/m/pgp/Django-3.2.25.checksum.txt>`_)
The PGP key ID used for this release is Mariusz Felisiak:
`2EF56372BA48CD1B <https://github.com/felixxm.gpg>`_.
General notes regarding security reporting
==========================================
As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words() Mariusz Felisiak (Mar 04)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->