http://bugzilla.opensuse.org/show_bug.cgi?id=1168280 Bug ID: 1168280 Summary: VUL-0: CVE-2020-6817: python-bleach: Regular expression denial of service in BleachSanitizerFilter.sanitize_css Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other URL: https://smash.suse.de/issue/256206/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: dmueller@suse.com Reporter: atoptsoglou@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2020-6817 bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}). Workarounds: do not whitelist the style attribute in bleach.clean calls limit input string length References https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 https://www.regular-expressions.info/redos.html https://blog.r2c.dev/posts/finding-python-redos-bugs-at-scale-using-dlint-an... https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6817 https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm -- You are receiving this mail because: You are on the CC list for the bug.