PublicDateAtUSN: 2021-09-20 17:15:00 UTC
Candidate: CVE-2021-32839
PublicDate: 2021-09-20 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32839
 https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf
 https://ubuntu.com/security/notices/USN-5085-1
Description:
 sqlparse is a non-validating SQL parser module for Python. In sqlparse
 versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in
 sqlparse vulnerability. The regular expression may cause exponential
 backtracking on strings containing many repetitions of '\r\n' in SQL
 comments. Only the formatting feature that removes comments from SQL
 statements is affected by this regular expression. As a workaround don't
 use the sqlformat.format function with keyword strip_comments=True or the
 --strip-comments command line flag when using the sqlformat command line
 tool. The issues has been fixed in sqlparse 0.4.2.
Ubuntu-Description:
Notes:
 mdeslaur> introduced in 0.4.0 by:
 mdeslaur> https://github.com/andialbrecht/sqlparse/commit/1499cffcd7c4d635b4297b44d48fb4fe94cf988e
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_sqlparse:
 upstream: https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb
upstream_sqlparse: released (0.4.2)
trusty_sqlparse: ignored (out of standard support)
trusty/esm_sqlparse: DNE
xenial_sqlparse: ignored (out of standard support)
esm-infra/xenial_sqlparse: not-affected
bionic_sqlparse: not-affected (0.2.4-0.1)
focal_sqlparse: not-affected (0.2.4-3)
hirsute_sqlparse: released (0.4.1-1ubuntu0.1)
impish_sqlparse: released (0.4.1-1ubuntu1)
jammy_sqlparse: released (0.4.1-1ubuntu1)
devel_sqlparse: released (0.4.1-1ubuntu1)