Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 288366 (CVE-2009-3695)

Summary: <dev-python/django-1.0.4, =dev-python/django-1.1 suffer from potential DOS in forms library via EmailField or URLField (CVE-2009-3695)
Product: Gentoo Security Reporter: Matt Summers (RETIRED) <quantumsummers>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: python
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.djangoproject.com/weblog/2009/oct/09/security/
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Matt Summers (RETIRED) gentoo-dev 2009-10-09 23:03:34 UTC 
Django's forms library included field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in this regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack.


Reproducible: Always
Comment 1 Matt Summers (RETIRED) gentoo-dev 2009-10-09 23:10:00 UTC 
The new ebuilds have been added to the tree, and the vulnerable removed by Patrick.

Awesome.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-13 17:08:09 UTC 
CVE-2009-3695 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3695):
  Algorithmic complexity vulnerability in the forms library in Django
  1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to
  cause a denial of service (CPU consumption) via a crafted (1)
  EmailField (email address) or (2) URLField (URL) that triggers a
  large amount of backtracking in a regular expression.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 14:35:20 UTC 
7 minutes from report to fix? Wow!
Closing noglsa.