Accepting request 790549 from devel:languages:python

- update to 3.1.4 (bsc#1168280, CVE-2020-6817): * ``bleach.clean`` behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to ``bleach.clean`` with an allowed tag with an allowed ``style`` attribute were vulnerable to ReDoS. For example, ``bleach.clean(..., attributes={'a': ['style']})``. * Style attributes with dashes, or single or double quoted values are cleaned instead of passed through. - update to 3.1.3 (bsc#1167379, CVE-2020-6816): OBS-URL: https://build.opensuse.org/request/show/790549 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-bleach?expand=0&rev=10
2020-04-05 18:51:47 +00:00 · 2020-04-05 18:51:47 +00:00 · cf65231a75
commit cf65231a75
parent 48b9e746b6 5e4292f9bb
4 changed files with 17 additions and 7 deletions
--- a/bleach-3.1.3.tar.gz
+++ b/bleach-3.1.3.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f8dfd8a7e26443e986c4e44df31870da8e906ea61096af06ba5d5cc2d519842a
-size 176601
--- a/bleach-3.1.4.tar.gz
+++ b/bleach-3.1.4.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e78e426105ac07026ba098f04de8abe9b6e3e98b5befbf89b51a5ef0a4292b03
+size 177813
--- a/python-bleach.changes
+++ b/python-bleach.changes
@ -1,7 +1,19 @@
+-------------------------------------------------------------------
+Wed Apr  1 11:18:24 UTC 2020 - Dirk Mueller <dmueller@suse.com>
+
+- update to 3.1.4 (bsc#1168280, CVE-2020-6817):
+  * ``bleach.clean`` behavior parsing style attributes could result in a
+    regular expression denial of service (ReDoS).
+    Calls to ``bleach.clean`` with an allowed tag with an allowed
+    ``style`` attribute were vulnerable to ReDoS. For example,
+    ``bleach.clean(..., attributes={'a': ['style']})``.
+  * Style attributes with dashes, or single or double quoted values are
+    cleaned instead of passed through.
+
 -------------------------------------------------------------------
 Mon Mar 23 10:09:15 UTC 2020 - Dirk Mueller <dmueller@suse.com>

- update to 3.1.3 (bsc#1167379):
+- update to 3.1.3 (bsc#1167379, CVE-2020-6816):
  * Add relative link to code of conduct. (#442)
  * Drop deprecated 'setup.py test' support. (#507)
  * Fix typo: curren -> current in tests/test_clean.py (#504)
@ -15,8 +27,6 @@ Mon Mar 23 10:09:15 UTC 2020 - Dirk Mueller <dmueller@suse.com>
    ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or
    ``xmp`` in the allowed tags whitelist were vulnerable to a mutation
    XSS.
-    This security issue was confirmed in Bleach version v3.1.1. Earlier
-    versions are likely affected too.

 -------------------------------------------------------------------
 Fri Feb 28 16:13:43 UTC 2020 - Alexandros Toptsoglou <atoptsoglou@suse.com>
--- a/python-bleach.spec
+++ b/python-bleach.spec
@ -19,7 +19,7 @@

 %{?!python_module:%define python_module() python-%{**} python3-%{**}}
 Name:           python-bleach
-Version:        3.1.3
+Version:        3.1.4
 Release:        0
 Summary:        A whitelist-based HTML-sanitizing tool
 License:        Apache-2.0