Security update for python-Django SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0651-1 Final 1 1 2018-03-09T13:07:09Z current 2018-03-09T13:07:09Z 2018-03-09T13:07:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-Django This update for python-Django fixes the following issues: Update to 1.11.11 * Fixes CVE-2018-7536, CVE-2018-7537 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2018-243 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-7536/ SUSE CVE CVE-2018-7536 page https://www.suse.com/security/cve/CVE-2018-7537/ SUSE CVE CVE-2018-7537 page SUSE Package Hub 12 python-Django-1.11.11-8.1 python-Django-1.11.11-8.1 as a component of SUSE Package Hub 12 An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. CVE-2018-7536 SUSE Package Hub 12:python-Django-1.11.11-8.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-7536.html CVE-2018-7536 https://bugzilla.suse.com/1083304 SUSE Bug 1083304 An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. CVE-2018-7537 SUSE Package Hub 12:python-Django-1.11.11-8.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-7537.html CVE-2018-7537 https://bugzilla.suse.com/1083305 SUSE Bug 1083305