Описание
Security update for python-mistune
This update for python-mistune to version 0.8.3 fixes several issues.
These security issues were fixed:
- CVE-2017-16876: Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py allowed remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the 'key' argument (bsc#1072307).
- CVE-2017-15612: Prevent XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions (bsc#1064640).
These non-security issues were fixed:
- Fix nested html issue
- Fix _keyify with lower case.
- Remove non breaking spaces preprocessing
- Remove rev and rel attribute for footnotes
- Fix escape_link method
- Handle block HTML with no content
- Use expandtabs for tab
- Fix escape option for text renderer
- Fix HTML attribute regex pattern
- Fix strikethrough regex
- Fix HTML attribute regex
- Fix close tag regex
- Fix hard_wrap options on renderer.
- Fix emphasis regex pattern
- Fix base64 image link
- Fix link security per
- Fix inline html when there is no content per
Список пакетов
openSUSE Leap 42.3
python-mistune-0.8.3-11.1
python3-mistune-0.8.3-9.1
Ссылки
- E-Mail link for openSUSE-SU-2018:0402-1
- SUSE Security Ratings
Описание
mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions.
Затронутые продукты
openSUSE Leap 42.3:python-mistune-0.8.3-11.1
openSUSE Leap 42.3:python3-mistune-0.8.3-9.1
Ссылки
- CVE-2017-15612
- SUSE Bug 1064640
Описание
Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument.
Затронутые продукты
openSUSE Leap 42.3:python-mistune-0.8.3-11.1
openSUSE Leap 42.3:python3-mistune-0.8.3-9.1
Ссылки
- CVE-2017-16876
- SUSE Bug 1072307