Mailinglist Archive: opensuse-updates (111 mails)

< Previous Next >
openSUSE-SU-2018:0402-1: moderate: Security update for python-mistune
openSUSE Security Update: Security update for python-mistune
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:0402-1
Rating: moderate
References: #1064640 #1072307
Cross-References: CVE-2017-15612 CVE-2017-16876
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for python-mistune to version 0.8.3 fixes several issues.

These security issues were fixed:

- CVE-2017-16876: Cross-site scripting (XSS) vulnerability in the _keyify
function in mistune.py allowed remote attackers to inject arbitrary web
script
or HTML by leveraging failure to escape the "key" argument (bsc#1072307).
- CVE-2017-15612: Prevent XSS via an unexpected newline (such as in
java\nscript:) or a crafted email address, related to the escape and
autolink functions (bsc#1064640).

These non-security issues were fixed:

- Fix nested html issue
- Fix _keyify with lower case.
- Remove non breaking spaces preprocessing
- Remove rev and rel attribute for footnotes
- Fix escape_link method
- Handle block HTML with no content
- Use expandtabs for tab
- Fix escape option for text renderer
- Fix HTML attribute regex pattern
- Fix strikethrough regex
- Fix HTML attribute regex
- Fix close tag regex
- Fix hard_wrap options on renderer.
- Fix emphasis regex pattern
- Fix base64 image link
- Fix link security per
- Fix inline html when there is no content per


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-148=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE Leap 42.3 (noarch):

python-mistune-0.8.3-11.1
python3-mistune-0.8.3-9.1


References:

https://www.suse.com/security/cve/CVE-2017-15612.html
https://www.suse.com/security/cve/CVE-2017-16876.html
https://bugzilla.suse.com/1064640
https://bugzilla.suse.com/1072307


< Previous Next >
This Thread
  • No further messages