Django's forms library included field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in this regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack. Reproducible: Always
The new ebuilds have been added to the tree, and the vulnerable removed by Patrick. Awesome.
CVE-2009-3695 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3695): Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.
7 minutes from report to fix? Wow! Closing noglsa.
