diff mbox series

[meta-openembedded,scarthgap,1/2] python3-django 5.0.11: ignore CVE-2025-27556

Message ID 20251107102116.924586-1-adongare@cisco.com
State New
Headers show
Series [meta-openembedded,scarthgap,1/2] python3-django 5.0.11: ignore CVE-2025-27556 | expand

Commit Message

Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) Nov. 7, 2025, 10:21 a.m. UTC 
From: Anil Dongare <adongare@cisco.com>

Upstream Repository: https://github.com/django/django.git

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-27556
Type: Security Advisory
CVE: CVE-2025-27556
Score: 7.5

Analysis:
- CVE-2025-27556 affects Django 5.1 before 5.1.8 and 5.0 before 5.0.14.
- The issue occurs due to slow NFKC normalization on Windows, which can cause
  a denial-of-service (DoS) when handling inputs containing a very large number
  of Unicode characters.
- Affected Django components:
	django.contrib.auth.views.LoginView
	django.contrib.auth.views.LogoutView
	django.views.i18n.set_language

- This performance degradation is specific to Windows, caused by the Windows
  Unicode normalization implementation.

 Reference:
 - https://nvd.nist.gov/vuln/detail/CVE-2025-27556
 - https://github.com/django/django/commit/2cb311f7b069

Signed-off-by: Anil Dongare <adongare@cisco.com>
---
 meta-python/recipes-devtools/python/python3-django_5.0.11.bb | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb b/meta-python/recipes-devtools/python/python3-django_5.0.11.bb
index 5060f3c9ad..43be30c7ec 100644
--- a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb
+++ b/meta-python/recipes-devtools/python/python3-django_5.0.11.bb
@@ -1,6 +1,9 @@ 
 require python-django.inc
 inherit setuptools3
 
+# Windows-specific DoS via NFKC normalization, not applicable to Linux
+CVE_STATUS[CVE-2025-27556] = "not-applicable-platform: Issue only applies on Windows"
+
 SRC_URI[sha256sum] = "e7d98fa05ce09cb3e8d5ad6472fb602322acd1740bfdadc29c8404182d664f65"
 
 RDEPENDS:${PN} += "\