From 7f65974f8219729c047fbbf8cd5cc9d80faefe77 Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Mon, 15 Jul 2019 11:46:09 +0200 Subject: Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML. Thanks to Guido Vranken for initial report. --- docs/releases/1.11.23.txt | 14 ++++++++++++++ docs/releases/2.1.11.txt | 14 ++++++++++++++ docs/releases/2.2.4.txt | 14 ++++++++++++++ 3 files changed, 42 insertions(+) (limited to 'docs') diff --git a/docs/releases/1.11.23.txt b/docs/releases/1.11.23.txt index 9a3ab7cbc9..6058bb8a81 100644 --- a/docs/releases/1.11.23.txt +++ b/docs/releases/1.11.23.txt @@ -5,3 +5,17 @@ Django 1.11.23 release notes *August 1, 2019* Django 1.11.23 fixes security issues in 1.11.22. + +CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator`` +================================================================================ + +If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods +were passed the ``html=True`` argument, they were extremely slow to evaluate +certain inputs due to a catastrophic backtracking vulnerability in a regular +expression. The ``chars()`` and ``words()`` methods are used to implement the +:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template +filters, which were thus vulnerable. + +The regular expressions used by ``Truncator`` have been simplified in order to +avoid potential backtracking issues. As a consequence, trailing punctuation may +now at times be included in the truncated output. diff --git a/docs/releases/2.1.11.txt b/docs/releases/2.1.11.txt index b8098334e1..f4ee3dbd30 100644 --- a/docs/releases/2.1.11.txt +++ b/docs/releases/2.1.11.txt @@ -5,3 +5,17 @@ Django 2.1.11 release notes *August 1, 2019* Django 2.1.11 fixes security issues in 2.1.10. + +CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator`` +================================================================================ + +If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods +were passed the ``html=True`` argument, they were extremely slow to evaluate +certain inputs due to a catastrophic backtracking vulnerability in a regular +expression. The ``chars()`` and ``words()`` methods are used to implement the +:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template +filters, which were thus vulnerable. + +The regular expressions used by ``Truncator`` have been simplified in order to +avoid potential backtracking issues. As a consequence, trailing punctuation may +now at times be included in the truncated output. diff --git a/docs/releases/2.2.4.txt b/docs/releases/2.2.4.txt index 59c05bf0e2..b22aa42482 100644 --- a/docs/releases/2.2.4.txt +++ b/docs/releases/2.2.4.txt @@ -6,6 +6,20 @@ Django 2.2.4 release notes Django 2.2.4 fixes security issues and several bugs in 2.2.3. +CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator`` +================================================================================ + +If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods +were passed the ``html=True`` argument, they were extremely slow to evaluate +certain inputs due to a catastrophic backtracking vulnerability in a regular +expression. The ``chars()`` and ``words()`` methods are used to implement the +:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template +filters, which were thus vulnerable. + +The regular expressions used by ``Truncator`` have been simplified in order to +avoid potential backtracking issues. As a consequence, trailing punctuation may +now at times be included in the truncated output. + Bugfixes ======== -- cgit v1.3