Weblog

October archive

Security updates released

October 9, 2009

Today the Django project is issuing a set of releases to remedy a security issue. This issue was disclosed publicly by a third party on a high-traffic mailing list, and attempts have been made to exploit it against live Django installations; as such, we are bypassing our normal policy for security disclosure and immediately issuing patches and updated releases.

Description of vulnerability

Django's forms library includes field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in these regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack.

Affected versions

Any Django application making use of EmailField or URLField in the following versions is vulnerable:

  • Django development trunk
  • Django 1.1
  • Django 1.0

Resolution

The regular expressions used for email address and URL validation have been modified to eliminate the pathological performance case.

Patches were applied in the following changesets:

  • Django development trunk: 11603.
  • Django 1.1 release series: 11604.
  • Django 1.0 release series: 11605.

The following releases are being issued immediately:

These releases are available on our download page and on PyPI.

As this issue is being actively exploited in the wild, all users of affected versions of Django are strongly encouraged to upgrade or apply the appropriate patch immediately.

Note regarding security reporting

As mentioned above, this issue was initially disclosed publicly on a high-traffic mailing list. We'd like to remind our users that the correct channel for security reports is to send them to security@djangoproject.com. This allows the development team time to develop a solution and coordinate disclosure, both to the Django community as a whole and to the numerous third parties who maintain and distribute packaged versions of Django.

When debating whether a particular issue impacts security, we ask that you err on the side of caution and always contact security@djangoproject.com; we will be more than happy to work with you in analyzing and assessing potential security issues.