Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 926164 (CVE-2024-27351)

Summary: <dev-python/django-{3.2.25,4.2.11,5.0.3}: Potential ReDoS in django.utils.text.Truncator.words()
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.djangoproject.com/weblog/2024/mar/04/security-releases/
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 926161, 926162, 926163    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-03-04 13:53:27 UTC 
Django security releases issued: 5.0.3, 4.2.11, and 3.2.25
Posted by Mariusz Felisiak on Marzec 4, 2024

In accordance with our security release policy, the Django team is issuing Django 5.0.3, Django 4.2.11, and Django 3.2.25. These releases addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.
CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()

django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665).

Thanks Seokchan Yoon for the report.

This issue has severity "moderate" according to the Django security policy.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-03-04 18:22:03 UTC 
cleanup done.