Yoff

**Name of the Vulnerable Software and Affected Versions** mechanize versions prior to 0.4.6 **Description** The mechanize library, used for automatically interacting with HTTP web servers, contains a regular expression vulnerable to regular expression denial of service (ReDoS). If a web server responds maliciously, mechanize could crash. **Recommendations** For versions prior to 0.4.6, update to version 0.4.6 to resolve the issue. As a temporary workaround, consider restricting interactions with potentially malicious web servers until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Zulip versions prior to 4.7 **Description** Zulip is an open source team chat server that allows organization administrators to configure linkifiers, which automatically create links from messages sent by users, detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks by configuring a quadratic-time regular expression in a linkifier and sending messages that exploited it. The regular expression attempted to parse user-provided regexes to verify they were safe from ReDoS, but this was insufficient and itself subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex. **Recommendations** For versions prior to 4.7, upgrade to the just-released Zulip 4.7 or switch to the `main` branch to resolve the issue. As a temporary workaround, consider restricting the ability of organization administrators to configure linkifiers until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** sqlparse versions 0.4.0 through 0.4.1 **Description** The issue is related to a regular Expression Denial of Service in the sqlparse module for Python. The regular expression may cause exponential backtracking on strings containing many repetitions of `r ` in SQL comments. This affects the formatting feature that removes comments from SQL statements. **Recommendations** For sqlparse versions 0.4.0 and 0.4.1, as a workaround, do not use the `sqlformat.format` function with keyword `strip comments=True` or the `--strip-comments` command line flag when using the `sqlformat` command line tool. For sqlparse versions 0.4.0 and 0.4.1, update to sqlparse 0.4.2 to fix the issue.