1203793 – (CVE-2022-41323) VUL-0: CVE-2022-41323: python-Django: potential denial-of-service vulnerability in internationalized URLs

Bug 1203793 (CVE-2022-41323) - VUL-0: CVE-2022-41323: python-Django: potential denial-of-service vulnerability in internationalized URLs

Summary: VUL-0: CVE-2022-41323: python-Django: potential denial-of-service vulnerabili...

Status:	IN_PROGRESS

Alias:	CVE-2022-41323

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Alberto Planas Dominguez
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/343663/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-09-27 12:10 UTC by Carlos López
Modified:	2024-01-12 11:41 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
main branch patch (3.26 KB, patch) 2022-09-27 12:17 UTC, Carlos López	Details \| Diff
4.1.x patch (3.27 KB, patch) 2022-09-27 12:17 UTC, Carlos López	Details \| Diff
4.0.x patch (2.74 KB, patch) 2022-09-27 12:18 UTC, Carlos López	Details \| Diff
3.2.x patch (2.16 KB, patch) 2022-09-27 12:18 UTC, Carlos López	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-09-27 12:10:18 UTC

Internationalized URLs were subject to potential denial of service attack via the locale parameter. This is now escaped to avoid this possibility.

Affected versions
=================

* Django main development branch
* Django 4.1
* Django 4.0
* Django 3.2

Resolution
==========

Included with this email are patches implementing the changes described above for each affected version of Django. On the release date, these patches will be applied to the Django development repository and the following releases will be issued along with disclosure of the issues:

* Django 4.1.2
* Django 4.0.8
* Django 3.2.16

Comment 3 Carlos López 2022-09-27 12:14:38 UTC

This affects:
- openSUSE:Backports:SLE-15-SP3/python-Django
- openSUSE:Backports:SLE-15-SP4/python-Django
- openSUSE:Factory/python-Django

Comment 4 Carlos López 2022-09-27 12:17:17 UTC

Created attachment 861765 [details]
main branch patch

Comment 5 Carlos López 2022-09-27 12:17:47 UTC

Created attachment 861766 [details]
4.1.x patch

Comment 6 Carlos López 2022-09-27 12:18:09 UTC

Created attachment 861767 [details]
4.0.x patch

Comment 7 Carlos López 2022-09-27 12:18:47 UTC

Created attachment 861768 [details]
3.2.x patch

Comment 8 Carlos López 2022-10-04 09:18:40 UTC

Public:
https://www.djangoproject.com/weblog/2022/oct/04/security-releases/

Comment 9 Alberto Planas Dominguez 2022-10-04 10:53:27 UTC

All the SR / MR should be in place

Comment 10 OBSbugzilla Bot 2022-10-04 11:25:06 UTC

This is an autogenerated message for OBS integration:
This bug (1203793) was mentioned in
https://build.opensuse.org/request/show/1007887 Backports:SLE-15-SP3 / python-Django
https://build.opensuse.org/request/show/1007888 Backports:SLE-15-SP4 / python-Django

Comment 11 Swamp Workflow Management 2023-01-03 14:23:36 UTC

openSUSE-SU-2023:0005-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1185713,1186608,1186611,1193240,1194115,1194116,1194117,1195086,1195088,1198297,1198398,1198399,1201923,1203793
CVE References: CVE-2021-32052,CVE-2021-33203,CVE-2021-33571,CVE-2021-44420,CVE-2021-45115,CVE-2021-45116,CVE-2021-45452,CVE-2022-22818,CVE-2022-23833,CVE-2022-28346,CVE-2022-28347,CVE-2022-36359,CVE-2022-41323
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    python-Django-2.2.28-bp153.2.3.1

Comment 12 OBSbugzilla Bot 2023-02-02 16:35:02 UTC

This is an autogenerated message for OBS integration:
This bug (1203793) was mentioned in
https://build.opensuse.org/request/show/1062680 Backports:SLE-15-SP4 / python-Django

Comment 13 Swamp Workflow Management 2023-02-21 20:05:27 UTC

openSUSE-SU-2023:0057-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1203793,1207565
CVE References: CVE-2022-41323,CVE-2023-23969
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    python-Django-2.2.28-bp154.2.6.1

Comment 14 OBSbugzilla Bot 2023-07-10 13:15:02 UTC

This is an autogenerated message for OBS integration:
This bug (1203793) was mentioned in
https://build.opensuse.org/request/show/1097960 Backports:SLE-15-SP5 / python-Django

Comment 15 Marcus Meissner 2023-07-13 19:05:29 UTC

openSUSE-SU-2023:0178-1: An update that fixes four vulnerabilities is now available.\n\nCategory: security (moderate)\nBug References: 1203793,1207565,1208082,1212742\nCVE References: CVE-2022-41323,CVE-2023-23969,CVE-2023-24580,CVE-2023-36053\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP5 (src):    python-Django-2.2.28-bp155.7.3.1\n\n