Subject: CVS commit: pkgsrc/www/py-django3
From: Adam Ciarcinski
Date: 2023-10-04 22:13:51
Message id: 20231004201351.99925FBDB@cvs.NetBSD.org

Log Message:
py-django3: updated to 3.2.22

Django 3.2.22 fixes a security issue with severity “moderate” in 3.2.21.

CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator

Following the fix for CVE-2019-14232, the regular expressions used in the \ 
implementation of django.utils.text.Truncator’s chars() and words() methods \ 
(with html=True) were revised and improved. However, these regular expressions \ 
still exhibited linear backtracking complexity, so when given a very long, \ 
potentially malformed HTML input, the evaluation would still be slow, leading to \ 
a potential denial of service vulnerability.

The chars() and words() methods are used to implement the truncatechars_html and \ 
truncatewords_html template filters, which were thus also vulnerable.

The input processed by Truncator, when operating in HTML mode, has been limited \ 
to the first five million characters in order to avoid potential performance and \ 
memory issues.

Files:
RevisionActionfile
1.35modifypkgsrc/www/py-django3/Makefile
1.34modifypkgsrc/www/py-django3/distinfo