Version 2.1.3 (March 5th, 2018)

Security fixes

  • Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.

This security issue was introduced in Bleach 2.1. Anyone using Bleach 2.1 is highly encouraged to upgrade.

Backwards incompatible changes

None

Features

None

Bug fixes

  • Fixed some other edge cases for attribute URI value sanitizing and improved testing of this code.

How to install

sudo dnf upgrade --advisory=FEDORA-2018-994424b810

This update has been submitted for testing by ignatenkobrain.

2 years ago

ignatenkobrain edited this update.

2 years ago

This update has been pushed to testing.

2 years ago

This update has reached 3 days in testing and can be pushed to stable now if the maintainer wishes

2 years ago

This update has been submitted for batched by ignatenkobrain.

2 years ago

This update has been submitted for stable by ignatenkobrain.

2 years ago

bowlofeggs edited this update.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
security
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
2
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
modified
2 years ago
BZ#1551804 python-bleach-2.1.3 is available
0
0
BZ#1558268 CVE-2018-7753 python-bleach: URI Scheme Restriction Bypass with character entities [fedora-26]
0
0

Automated Test Results