-------------------------------------------------------------------------
Debian LTS Advisory DLA-4000-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
December 21, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : sqlparse
Version : 0.4.1-1+deb11u1
CVE ID : CVE-2021-32839 CVE-2023-30608 CVE-2024-4340
Debian Bug : 994841 1034615 1070148
Multiple vulnerabilities were found in sqlparse, a non-validating SQL
parser for Python, which can lead to Denial of Service.
CVE-2021-32839
Erik Krogh Kristensen discovered that the StripComments filter
contains a regular expression that is vulnerable to ReDOS (Regular
Expression Denial of Service). The regular expression may cause
exponential backtracking on strings containing many repetitions of
'\r\n' in SQL comments.
CVE-2023-30608
Erik Krogh Kristensen discovered that the Parser contains a regular
expression that is vulnerable to ReDOS (Regular Expression Denial of
Service).
CVE-2024-4340
Uriya Yavniely discovered that passing a heavily nested list to
sqlparse.parse() may raise a RecursionError exception. A generic
SQLParseError is now raised instead.
For Debian 11 bullseye, these problems have been fixed in version
0.4.1-1+deb11u1.
We recommend that you upgrade your sqlparse packages.
For the detailed security status of sqlparse please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sqlparse
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature