Django has a 0-day security vulnerability. It’s time to upgrade:

Security updates released

Today the Django project is issuing a set of releases to remedy a security issue. This issue was disclosed publicly by a third party on a high-traffic mailing list, and attempts have been made to exploit it against live Django installations; as such, we are bypassing our normal policy for security disclosure and immediately issuing patches and updated releases.

Description of vulnerability

Django’s forms library included field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in this regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack.

Affected versions

Any Django application making use of EmailField or URLField in the following versions is vulnerable:

  • Django development trunk
  • Django 1.1
  • Django 1.0

Read more at Django blog

comments powered by Disqus