Source: sqlparse Version: 0.4.1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for sqlparse. CVE-2021-32839[0]: | sqlparse is a non-validating SQL parser module for Python. In sqlparse | versions 0.4.0 and 0.4.1 there is a regular Expression Denial of | Service in sqlparse vulnerability. The regular expression may cause | exponential backtracking on strings containing many repetitions of | '\r\n' in SQL comments. Only the formatting feature that removes | comments from SQL statements is affected by this regular expression. | As a workaround don't use the sqlformat.format function with keyword | strip_comments=True or the --strip-comments command line flag when | using the sqlformat command line tool. The issues has been fixed in | sqlparse 0.4.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32839 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32839 [1] https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf [2] https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb Regards, Salvatore