Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Fedora 10: 2009-10432 Moderate: Django Forms Denial of Service

fedora
Calendar Grey October 15, 2009
Dist Fedora Esm H88
Django's forms framework has a flaw that leads to high CPU consumption, risking denial-of-service attacks. Apply updates to address the issue.
http://www.djangoproject.com/weblog/2009/oct/09/security/ Description of vulnerability ============================ Django's forms library included field types which perfor...

Summary

Django is a high-level Python Web framework that encourages rapid

development and a clean, pragmatic design. It focuses on automating as

much as possible and adhering to the DRY (Don't Repeat Yourself)

principle.

Update Information:

http://www.djangoproject.com/weblog/2009/oct/09/security/ Description of vulnerability ============================ Django's forms library included field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in this regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack.

Topics%20covered

Topics Covered

security advisory Fedora denial-of-service performance issue Django

Change Log

* Fri Oct 9 2009 Steve 'Ashcrow' Milner - 1.1.1-1 - Update to fix http://www.djangoproject.com/weblog/2009/oct/09/security/ - Django-ignore-pyo-bz-495046.patch no longer needed. * Wed Aug 26 2009 Steve 'Ashcrow' Milner - 1.1-4 - EL-4 shouldn't get the sphinx docs. * Wed Aug 26 2009 Steve 'Ashcrow' Milner - 1.1-3 - ghosting admin py* is now FC9 and under. * Thu Aug 6 2009 Steve 'Ashcrow' Milner - 1.1-2 - Applied Daniel Mach's patch from bz#516016. * Sat Aug 1 2009 Steve 'Ashcrow' Milner - 1.1-1 - Update for Django 1.1 release. - Moved /usr/bin/django-admin.py to /usr/bin/django-admin - sed macro is now being used - Patch for bz#495046 applied. * Wed Jul 29 2009 Steve 'Ashcrow' Milner - 1.0.3-6 - Attempted combined spec for F12/11/10 and EL5 * Wed Jul 29 2009 Steve 'Ashcrow' Milner - 1.0.3-4 - Older builds must ghost django-admin.py[c,o] * Wed Jul 29 2009 Steve 'Ashcrow' Milner - 1.0.3-3 - Bump for tag issue. * Wed Jul 29 2009 Steve 'Ashcrow' Milner - 1.0.3-2 - Fix changelog. * Wed Jul 29 2009 Steve 'Ashcrow' Milner - 1.0.3-1 - Upgrade for http://www.djangoproject.com/weblog/2009/jul/28/security/ * Thu Mar 12 2009 Michel Salim - 1.0.2-3 - Build HTML documentation (bug #484070) - No longer excluding *.py? in bindir, F11's Python does not optimizes these * Mon Feb 23 2009 Fedora Release Engineering - 1.0.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild * Sun Dec 14 2008 Michel Salim - 1.0.2-1 - Update to 1.0.2 * Sat Nov 1 2008 Steve 'Ashcrow' Milner - 1.0.1-0.1.beta1 - Update to 1.0.1_beta_1

References


[ 1 ] Bug #528246 - Django's forms DOS in 1.1/1.0 https://bugzilla.redhat.com/show_bug.cgi?id=528246

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update Django' at the command line. For more information, refer to "Managing Software with yum", available at .

Severity
important
Lowest
Low
Medium
High
Critical

Name: Django
Product: Fedora 10
Version: 1.1.1
Release: 1.fc10
URL: http://www.djangoproject.com/
Summary: A high-level Python Web framework

Topics%20covered

Topics Covered

security advisory Fedora denial-of-service performance issue Django

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here