openSUSE-SU-2021:0552-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2021:0552-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2021:0552-1
Related
Published
2021-04-14T14:51:29Z
Modified
2021-04-14T14:51:29Z
Summary
Security update for python-bleach
Details

This update for python-bleach fixes the following issues:

  • CVE-2021-23980: Fixed mutation XSS on bleach.clean with specific combinations of allowed tags (boo#1184547)

Update to 3.1.5:

  • replace missing setuptools dependency with packaging. Thank you Benjamin Peterson.

Update to 3.1.4 (boo#1168280, CVE-2020-6817):

  • bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute were vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
  • Style attributes with dashes, or single or double quoted values are cleaned instead of passed through.

update to 3.1.3 (boo#1167379, CVE-2020-6816):

  • Add relative link to code of conduct. (#442)
  • Drop deprecated 'setup.py test' support. (#507)
  • Fix typo: curren -> current in tests/test_clean.py (#504)
  • Test on PyPy 7
  • Drop test support for end of life Python 3.4
  • bleach.clean behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS. Calls to bleach.clean with strip=False and math or svg tags and one or more of the RCDATA tags script, noscript, style, noframes, iframe, noembed, or xmp in the allowed tags whitelist were vulnerable to a mutation XSS.
References

Affected packages

openSUSE:Leap 15.2 / python-bleach

Package

Name
python-bleach
Purl
purl:rpm/suse/python-bleach&distro=openSUSE%20Leap%2015.2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.5-lp152.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "python2-bleach": "3.1.5-lp152.2.3.1",
            "python3-bleach": "3.1.5-lp152.2.3.1"
        }
    ]
}