[GHSA-4c42-4rxm-x6qf] Django Denial of Service Vulnerability in the authentication framework

[MarkLee131]

Updates

• Affected products
• References

Comments
add a patch django/django@aae5a96, the patch for v1.4 shows it was backported from this patch.

[darakian]

Hey @MarkLee131, I'm going to reject this one as we don't have a 1.7.x affected product and the patch is largely the same as others which we already have.

[MarkLee131]

Hi, @darakian. Can I ask why not merge this patch? It seems not convincing to me that

as we don't have a 1.7.x affected product and the patch is largely the same as others which we already have.

since

1. this patch is disclosed on Django official at https://docs.djangoproject.com/en/3.2/releases/security/.

2. if it was not a patch, why the maintainers pushed it to their repo?

3. is it possible that the desc for this CVE should be updated according to the Django official, including vuln versions?

Anyway, I respect your decision. I am just interested in your views about it. This will help me a lot in contributing to this database in the future.

[darakian]

Can I ask why not merge this patch?

Because that patch applies to the 1.7 branch of django and our advisory applies to the 1.4.x and 1.5.x branches. 1.6 and 1.7 are implicitly fixed and while the patch is valid it's not relevant to those who are getting an alert about 1.4.x/1.5.x.

[MarkLee131]

Hi @darakian. Thanks for reply. So you mean v1.7 is not vulnerable? But as you know the official pushed the patch to v1.7, so is it possible that we need to update the vuln versions by adding v1.7?

[darakian]

is it possible that we need to update the vuln versions by adding v1.7?

It's possible, but it would need to be shown that 1.7 is vulnerable to the denial of service vuln first.