[ Reason ]
Fix ReDoS vulnerability in email validation: CVE-2024-3772. [1]

[ Impact ]
A crafted email string can trigger exponential backtracking
in the validation regex, leading to excessive CPU usage
and potential denial of service.

[ Tests ]
The upstream project added tests to validate the fix.
The proof of concept [2] provided for CVE-2024-3772
was reproduced on the vulnerable version and is no
longer effective after applying the patch.
Debusine:
https://debusine.debian.net/debian/developers/work-request/728372/

[ Risks ]
Low to moderate risk. The change is limited to regex
adjustment/backport from upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backported upstream patch fixing ReDoS in email
validation logic.

[ Other info ]
@cjwatson has reviewed this backport and will probably sponsor it.

[1] https://security-tracker.debian.org/tracker/CVE-2024-3772
[2] https://github.com/pydantic/pydantic/pull/7360

Hi,

Please go ahead.

Thanks,

package release.debian.org
tags 1137610 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: pydantic
Version: 1.10.4-1+deb12u1

Explanation: fix denial of service in email verification [CVE-2024-3772]

package release.debian.org
tags 1137610 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: pydantic
Version: 1.10.4-1+deb12u1

Explanation: fix denial of service in email verification [CVE-2024-3772]