Source: sqlparse Version: 0.4.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for sqlparse. CVE-2023-30608[0]: | sqlparse is a non-validating SQL parser module for Python. In affected | versions the SQL parser contains a regular expression that is | vulnerable to ReDoS (Regular Expression Denial of Service). This issue | was introduced by commit `e75e358`. The vulnerability may lead to | Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 | by commit `c457abd5f`. Users are advised to upgrade. There are no | known workarounds for this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-30608 https://www.cve.org/CVERecord?id=CVE-2023-30608 [1] https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 [2] https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb Please adjust the affected versions in the BTS as needed. Regards, Salvatore
