- update to 3.1.4 (bsc#1168280, CVE-2020-6817):

* ``bleach.clean`` behavior parsing style attributes could result in a
    regular expression denial of service (ReDoS).
    Calls to ``bleach.clean`` with an allowed tag with an allowed
    ``style`` attribute were vulnerable to ReDoS. For example,
    ``bleach.clean(..., attributes={'a': ['style']})``.
  * Style attributes with dashes, or single or double quoted values are
    cleaned instead of passed through.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-bleach?expand=0&rev=35
This commit is contained in:
Dirk Mueller 2020-04-01 11:21:16 +00:00 committed by Git OBS Bridge
parent e36ce7b3c2
commit 5e4292f9bb
4 changed files with 16 additions and 4 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f8dfd8a7e26443e986c4e44df31870da8e906ea61096af06ba5d5cc2d519842a
size 176601

3
bleach-3.1.4.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e78e426105ac07026ba098f04de8abe9b6e3e98b5befbf89b51a5ef0a4292b03
size 177813

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Wed Apr 1 11:18:24 UTC 2020 - Dirk Mueller <dmueller@suse.com>
- update to 3.1.4 (bsc#1168280, CVE-2020-6817):
* ``bleach.clean`` behavior parsing style attributes could result in a
regular expression denial of service (ReDoS).
Calls to ``bleach.clean`` with an allowed tag with an allowed
``style`` attribute were vulnerable to ReDoS. For example,
``bleach.clean(..., attributes={'a': ['style']})``.
* Style attributes with dashes, or single or double quoted values are
cleaned instead of passed through.
-------------------------------------------------------------------
Mon Mar 23 10:09:15 UTC 2020 - Dirk Mueller <dmueller@suse.com>

View File

@ -19,7 +19,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-bleach
Version: 3.1.3
Version: 3.1.4
Release: 0
Summary: A whitelist-based HTML-sanitizing tool
License: Apache-2.0