Bugzilla – Bug 923172
VUL-1: CVE-2015-2316: python-django,python-Django: Django: possible denial of service in strip_tags()
Last modified: 2015-10-13 13:08:46 UTC
via https://www.djangoproject.com/weblog/2015/mar/18/security-releases/ Denial-of-service possibility with strip_tags() Last year django.utils.html.strip_tags was changed to work iteratively. The problem is that the size of the input it's processing can increase on each iteration which results in an infinite loop in strip_tags(). This issue only affects versions of Python that haven't received a bugfix in HTMLParser; namely Python < 2.7.7 and 3.3.5. Some operating system vendors have also backported the fix for the Python bug into their packages of earlier versions. To remedy this issue, strip_tags() will now return the original input if it detects the length of the string it's processing increases. Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape. Thanks Andrey Babak for reporting the issue. This issue has been assigned the identifier CVE-2015-2316.
can you cross check if 1.4 is not affected too please
and 1.5.x
bugbot adjusting priority
1.4 and 1.5 implement strip_tags with a regexp so should not be affected. will need an update for python-Django-1.6 in SUSE Cloud 5
This is an autogenerated message for OBS integration: This bug (923172) was mentioned in https://build.opensuse.org/request/show/292041 13.2 / python-Django
This is an autogenerated message for OBS integration: This bug (923172) was mentioned in https://build.opensuse.org/request/show/292722 13.2 / python-Django
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-04-08. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61316
openSUSE-SU-2015:0643-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: openSUSE 13.2 (src): python-Django-1.6.11-3.4.1
SUSE-SU-2015:0694-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 923172,923176 CVE References: CVE-2015-2316,CVE-2015-2317 Sources used: SUSE Cloud 5 (src): python-Django-1.6.11-0.7.1
SUSE-SU-2015:1109-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: SUSE Enterprise Storage 1.0 (src): python-Django-1.6.11-4.1
SUSE-SU-2015:1112-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: SUSE Enterprise Storage 1.0 (src): python-Django-1.6.11-4.1
Unless I'm mistaken, this one has already been released. Can we close as FIXED?
yes, was released