python/python-bleach
SHA256
14
0
Fork 0
forked from pool/python-bleach
Code Pull Requests Activity

- update to 3.1.4 (bsc#1168280, CVE-2020-6817):

Browse Source 
* ``bleach.clean`` behavior parsing style attributes could result in a
    regular expression denial of service (ReDoS).
    Calls to ``bleach.clean`` with an allowed tag with an allowed
    ``style`` attribute were vulnerable to ReDoS. For example,
    ``bleach.clean(..., attributes={'a': ['style']})``.
  * Style attributes with dashes, or single or double quoted values are
    cleaned instead of passed through.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-bleach?expand=0&rev=35
This commit is contained in:
Dirk Mueller
2020-04-01 11:21:16 +00:00
committed by Git OBS Bridge
parent e36ce7b3c2
commit 5e4292f9bb
4 changed files with 16 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
python-bleach.changes
View File

@@ -1,3 +1,15 @@
-------------------------------------------------------------------
Wed Apr 1 11:18:24 UTC 2020 - Dirk Mueller <dmueller@suse.com>
- update to 3.1.4 (bsc#1168280, CVE-2020-6817):
* ``bleach.clean`` behavior parsing style attributes could result in a
regular expression denial of service (ReDoS).
Calls to ``bleach.clean`` with an allowed tag with an allowed
``style`` attribute were vulnerable to ReDoS. For example,
``bleach.clean(..., attributes={'a': ['style']})``.
* Style attributes with dashes, or single or double quoted values are
cleaned instead of passed through.
-------------------------------------------------------------------
Mon Mar 23 10:09:15 UTC 2020 - Dirk Mueller <dmueller@suse.com>