Security update for python-bleach SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0552-1 Final 1 1 2021-04-14T14:51:29Z current 2021-04-14T14:51:29Z 2021-04-14T14:51:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-bleach This update for python-bleach fixes the following issues: - CVE-2021-23980: Fixed mutation XSS on bleach.clean with specific combinations of allowed tags (boo#1184547) Update to 3.1.5: * replace missing ``setuptools`` dependency with ``packaging``. Thank you Benjamin Peterson. Update to 3.1.4 (boo#1168280, CVE-2020-6817): * ``bleach.clean`` behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to ``bleach.clean`` with an allowed tag with an allowed ``style`` attribute were vulnerable to ReDoS. For example, ``bleach.clean(..., attributes={'a': ['style']})``. * Style attributes with dashes, or single or double quoted values are cleaned instead of passed through. update to 3.1.3 (boo#1167379, CVE-2020-6816): * Add relative link to code of conduct. (#442) * Drop deprecated 'setup.py test' support. (#507) * Fix typo: curren -> current in tests/test_clean.py (#504) * Test on PyPy 7 * Drop test support for end of life Python 3.4 * ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS. Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-552 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YFAKMJGUZHUTZ53ZAID6PRVP5MSLXPGV/ E-Mail link for openSUSE-SU-2021:0552-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1167379 SUSE Bug 1167379 https://bugzilla.suse.com/1168280 SUSE Bug 1168280 https://bugzilla.suse.com/1184547 SUSE Bug 1184547 https://www.suse.com/security/cve/CVE-2020-6816/ SUSE CVE CVE-2020-6816 page https://www.suse.com/security/cve/CVE-2020-6817/ SUSE CVE CVE-2020-6817 page https://www.suse.com/security/cve/CVE-2021-23980/ SUSE CVE CVE-2021-23980 page openSUSE Leap 15.2 python2-bleach-3.1.5-lp152.2.3.1 python3-bleach-3.1.5-lp152.2.3.1 python2-bleach-3.1.5-lp152.2.3.1 as a component of openSUSE Leap 15.2 python3-bleach-3.1.5-lp152.2.3.1 as a component of openSUSE Leap 15.2 In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False. CVE-2020-6816 openSUSE Leap 15.2:python2-bleach-3.1.5-lp152.2.3.1 openSUSE Leap 15.2:python3-bleach-3.1.5-lp152.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YFAKMJGUZHUTZ53ZAID6PRVP5MSLXPGV/ https://www.suse.com/security/cve/CVE-2020-6816.html CVE-2020-6816 https://bugzilla.suse.com/1167379 SUSE Bug 1167379 bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}). CVE-2020-6817 openSUSE Leap 15.2:python2-bleach-3.1.5-lp152.2.3.1 openSUSE Leap 15.2:python3-bleach-3.1.5-lp152.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YFAKMJGUZHUTZ53ZAID6PRVP5MSLXPGV/ https://www.suse.com/security/cve/CVE-2020-6817.html CVE-2020-6817 https://bugzilla.suse.com/1168280 SUSE Bug 1168280 A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True. CVE-2021-23980 openSUSE Leap 15.2:python2-bleach-3.1.5-lp152.2.3.1 openSUSE Leap 15.2:python3-bleach-3.1.5-lp152.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YFAKMJGUZHUTZ53ZAID6PRVP5MSLXPGV/ https://www.suse.com/security/cve/CVE-2021-23980.html CVE-2021-23980 https://bugzilla.suse.com/1184547 SUSE Bug 1184547