PYSEC-2019-11
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2019-11.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2019-11
- Aliases
- Published
- 2019-08-02T15:15:00Z
- Modified
- 2023-11-01T05:44:01.791886Z
- Summary
- [none]
- Details
-
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatecharshtml and truncatewordshtml template filters, which were thus vulnerable.
- References
-
- https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
- https://seclists.org/bugtraq/2019/Aug/15
- https://www.debian.org/security/2019/dsa-4498
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/
- https://security.netapp.com/advisory/ntap-20190828-0002/
- https://security.gentoo.org/glsa/202004-17
- https://github.com/advisories/GHSA-c4qh-4vgv-qc6g
Affected packages
PyPI / django
Package
- Name
- django
- View open source insights on deps.dev
- Purl
- pkg:pypi/django