From 8618271caa0b09daba39ff3b46567d33ae1e1d3a Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Sat, 24 Feb 2018 11:30:11 -0500 Subject: Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters. Thanks Florian Apolloner for assisting with the patch. --- docs/releases/1.11.11.txt | 11 +++++++++++ docs/releases/1.8.19.txt | 11 +++++++++++ docs/releases/2.0.3.txt | 11 +++++++++++ 3 files changed, 33 insertions(+) (limited to 'docs') diff --git a/docs/releases/1.11.11.txt b/docs/releases/1.11.11.txt index c344f3e7b5..696465fd47 100644 --- a/docs/releases/1.11.11.txt +++ b/docs/releases/1.11.11.txt @@ -5,3 +5,14 @@ Django 1.11.11 release notes *March 6, 2018* Django 1.11.11 fixes two security issues in 1.11.10. + +CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters +=============================================================================================== + +The ``django.utils.html.urlize()`` function was extremely slow to evaluate +certain inputs due to catastrophic backtracking vulnerabilities in two regular +expressions. The ``urlize()`` function is used to implement the ``urlize`` and +``urlizetrunc`` template filters, which were thus vulnerable. + +The problematic regular expressions are replaced with parsing logic that +behaves similarly. diff --git a/docs/releases/1.8.19.txt b/docs/releases/1.8.19.txt index 9709f2622d..ae509f11c4 100644 --- a/docs/releases/1.8.19.txt +++ b/docs/releases/1.8.19.txt @@ -5,3 +5,14 @@ Django 1.8.19 release notes *March 6, 2018* Django 1.8.19 fixes two security issues in 1.18.18. + +CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters +=============================================================================================== + +The ``django.utils.html.urlize()`` function was extremely slow to evaluate +certain inputs due to a catastrophic backtracking vulnerability in a regular +expression. The ``urlize()`` function is used to implement the ``urlize`` and +``urlizetrunc`` template filters, which were thus vulnerable. + +The problematic regular expression is replaced with parsing logic that behaves +similarly. diff --git a/docs/releases/2.0.3.txt b/docs/releases/2.0.3.txt index b4d0ed0c23..a4c01302d1 100644 --- a/docs/releases/2.0.3.txt +++ b/docs/releases/2.0.3.txt @@ -7,6 +7,17 @@ Django 2.0.3 release notes Django 2.0.3 fixes two security issues and several bugs in 2.0.2. Also, the latest string translations from Transifex are incorporated. +CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters +=============================================================================================== + +The ``django.utils.html.urlize()`` function was extremely slow to evaluate +certain inputs due to catastrophic backtracking vulnerabilities in two regular +expressions. The ``urlize()`` function is used to implement the ``urlize`` and +``urlizetrunc`` template filters, which were thus vulnerable. + +The problematic regular expressions are replaced with parsing logic that +behaves similarly. + Bugfixes ======== -- cgit v1.3