DoS attack on Django 1.0.x and 1.1.x disclosed

Bug #447617 reported by Krzysztof Klimonda on 2009-10-09
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Medium
Krzysztof Klimonda
Intrepid
Medium
Unassigned
Jaunty
Medium
Krzysztof Klimonda
Karmic
Medium
Krzysztof Klimonda

Bug Description

The 1.1.1 version of Django framework has been released.

From their announcement:

"Security updates released

Today the Django project is issuing a set of releases to remedy a security issue. This issue was disclosed publicly by a third party on a high-traffic mailing list, and attempts have been made to exploit it against live Django installations; as such, we are bypassing our normal policy for security disclosure and immediately issuing patches and updated releases.
Description of vulnerability

Django's forms library included field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in this regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack."

In order to make this update we also have to fix bug 445639 (FTBFS due to the regression tests failure)

visibility: private → public
Krzysztof Klimonda (kklimonda) wrote :

I'll try to close both bugs before Final Freeze.

Changed in ubuntu:
assignee: nobody → Krzysztof Klimonda (kklimonda)
affects: ubuntu → python-django (Ubuntu)
Krzysztof Klimonda (kklimonda) wrote :

A debdiff from debian unstable version.
Patch that disables a few regression tests was merged by debian but a new one was introduced to fix FTBFS issue due to a change in how Python 2.6.3 handles decimal values.

summary: - Update python-django to 1.1.1
+ DoS attack on Django 1.0.x and 1.1.x disclosed
Krzysztof Klimonda (kklimonda) wrote :

The DoS vulnerability is also present in 1.0.x and so has to be fixed for Jaunty.

Changed in python-django (Ubuntu Jaunty):
status: New → Confirmed
Changed in python-django (Ubuntu):
status: New → Confirmed
Changed in python-django (Ubuntu Jaunty):
importance: Undecided → Medium
Changed in python-django (Ubuntu):
importance: Undecided → Medium
Kees Cook (kees) wrote :

Thanks for the karmic diff -- I'll have this uploaded shortly.

Changed in python-django (Ubuntu Jaunty):
assignee: nobody → Krzysztof Klimonda (kklimonda)
Changed in python-django (Ubuntu Karmic):
status: Confirmed → Fix Committed
Kees Cook (kees) wrote :
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-1ubuntu1

---------------
python-django (1.1.1-1ubuntu1) karmic; urgency=low

  * Merge python-django 1.1.1-1 from debian unstable (LP: #447617)
    for security and bug fixes, all Ubuntu changes merged by Debian.
  * Add to debian/patches:
    - 20_python2.6.3_regression.patch - backported upstream commit 11620
      to make Django work with Python 2.6.3 properly. (LP: #445639)

python-django (1.1.1-1) unstable; urgency=high

  * New upstream security release - fixes pathological regular expression
    backtracking performance in URL and email fields which can be used as part
    of a denial of service attack.
  * Set Maintainer: to myself with thanks to Brett Parker.
  * Bump versioned build dependency on quilt to help backporters.
    (Closes: #547955)

python-django (1.1-4) unstable; urgency=low

  * Sourceful upload to drop dependency on Python 2.4.

python-django (1.1-3) unstable; urgency=low

  * Disable regression tests that require an internet connection. Patch by
    Krzysztof Klimonda <email address hidden>. (Closes: #542996)
  * Bump Standards-Version to 3.8.3.

 -- Krzysztof Klimonda <email address hidden> Mon, 12 Oct 2009 19:22:16 +0200

Changed in python-django (Ubuntu Karmic):
status: Fix Committed → Fix Released
Mathias Gug (mathiaz) wrote :

Unsubscribing the sponsor team for now as there isn't anything to sponsor. The next step is to extract the relevant patch from upstream 1.0 branch, prepare patches (or debdiff) for the current packages in Intrepid and Jaunty.

Changed in python-django (Ubuntu Intrepid):
importance: Undecided → Medium
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.

Changed in python-django (Ubuntu Intrepid):
status: New → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.0.2-1ubuntu0.2

---------------
python-django (1.0.2-1ubuntu0.2) jaunty-security; urgency=low

  * SECURITY UPDATE: Certain email addresses/URLs can trigger
    a catastrophic backtracking situation, causing 100% CPU
    and server overload. (LP: #447617, LP: #478328)
    http://www.djangoproject.com/weblog/2009/oct/09/security/
    - Applied upstream changeset 11605
    - CVE-2009-3695
 -- Krzysztof Klimonda <email address hidden> Tue, 13 Oct 2009 21:59:00 +0200

Changed in python-django (Ubuntu Jaunty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers