Django: CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri()

[Mariusz Felisiak <felisiak.mariusz () gmail com>]

https://www.djangoproject.com/weblog/2023/sep/04/security-releases/

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the 
Django team
is issuing
`Django 4.2.5 <https://docs.djangoproject.com/en/dev/releases/4.2.5/>`_,
`Django 4.1.11 
<https://docs.djangoproject.com/en/dev/releases/4.1.11/>`_, and
`Django 3.2.21 <https://docs.djangoproject.com/en/dev/releases/3.2.21/>`_.
These releases addresses the security issue detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2023-41164: Potential denial of service vulnerability in 
``django.utils.encoding.uri_to_iri()``
===================================================================================================

``django.utils.encoding.uri_to_iri()`` was subject to potential denial 
of service attack via certain inputs with a very large number of Unicode 
characters.

Thanks `MProgrammer <https://hackerone.com/mprogrammer>`_ for the report.

This issue has severity "moderate" according to the Django security policy.

Affected supported versions
===========================

* Django main branch
* Django 4.2
* Django 4.1
* Django 3.2

Resolution
==========

Patches to resolve the issue have been applied to Django's main branch 
and the
4.2, 4.1, and 3.2 release branches. The patches may be obtained from the
following changesets:

* On the `main branch 
<https://github.com/django/django/commit/3f41d6d62929dfe53eda8109b3b836f26645bdce>`__
* On the `4.2 release branch 
<https://github.com/django/django/commit/9c51b4dcfa0cefcb48231f4d71cafa80821f87b9>`__
* On the `4.1 release branch 
<https://github.com/django/django/commit/ba00bc5ec6a7eff5e08be438f7b5b0e9574e8ff0>`__
* On the `3.2 release branch 
<https://github.com/django/django/commit/6f030b1149bd8fa4ba90452e77cb3edc095ce54e>`__

The following releases have been issued:

* Django 4.2.5 (`download Django 4.2.5 
<https://www.djangoproject.com/m/releases/4.2/Django-4.2.5.tar.gz>`_ | 
`4.2.5 checksums 
<https://www.djangoproject.com/m/pgp/Django-4.2.5.checksum.txt>`_)
* Django 4.1.11 (`download Django 4.1.11 
<https://www.djangoproject.com/m/releases/4.1/Django-4.1.11.tar.gz>`_ | 
`4.1.11 checksums 
<https://www.djangoproject.com/m/pgp/Django-4.1.11.checksum.txt>`_)
* Django 3.2.21 (`download Django 3.2.21 
<https://www.djangoproject.com/m/releases/3.2/Django-3.2.21.tar.gz>`_ | 
`3.2.21 checksums 
<https://www.djangoproject.com/m/pgp/Django-3.2.21.checksum.txt>`_)

The PGP key ID used for this release is Mariusz Felisiak: 
`2EF56372BA48CD1B <https://github.com/felixxm.gpg>`_.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.