- update to 3.1.4 (bsc#1168280, CVE-2020-6817):

* ``bleach.clean`` behavior parsing style attributes could result in a
    regular expression denial of service (ReDoS).
    Calls to ``bleach.clean`` with an allowed tag with an allowed
    ``style`` attribute were vulnerable to ReDoS. For example,
    ``bleach.clean(..., attributes={'a': ['style']})``.
  * Style attributes with dashes, or single or double quoted values are
    cleaned instead of passed through.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-bleach?expand=0&rev=35

bleach-3.1.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f8dfd8a7e26443e986c4e44df31870da8e906ea61096af06ba5d5cc2d519842a
-size 176601

bleach-3.1.4.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e78e426105ac07026ba098f04de8abe9b6e3e98b5befbf89b51a5ef0a4292b03
+size 177813

python-bleach.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Wed Apr  1 11:18:24 UTC 2020 - Dirk Mueller <dmueller@suse.com>
+
+- update to 3.1.4 (bsc#1168280, CVE-2020-6817):
+  * ``bleach.clean`` behavior parsing style attributes could result in a
+    regular expression denial of service (ReDoS).
+    Calls to ``bleach.clean`` with an allowed tag with an allowed
+    ``style`` attribute were vulnerable to ReDoS. For example,
+    ``bleach.clean(..., attributes={'a': ['style']})``.
+  * Style attributes with dashes, or single or double quoted values are
+    cleaned instead of passed through.
+
 -------------------------------------------------------------------
 Mon Mar 23 10:09:15 UTC 2020 - Dirk Mueller <dmueller@suse.com>
 

python-bleach.spec

@@ -19,7 +19,7 @@
 
 %{?!python_module:%define python_module() python-%{**} python3-%{**}}
 Name:           python-bleach
-Version:        3.1.3
+Version:        3.1.4
 Release:        0
 Summary:        A whitelist-based HTML-sanitizing tool
 License:        Apache-2.0