Re: [blfs-book] [BLFS Trac] #14589: Jinja2-2.11.3

Fri, 12 Feb 2021 08:48:54 -0800 

#14589: Jinja2-2.11.3
-------------------------+---------------------
 Reporter:  renodr       |       Owner:  renodr
     Type:  enhancement  |      Status:  closed
 Priority:  high         |   Milestone:  10.1
Component:  BOOK         |     Version:  SVN
 Severity:  normal       |  Resolution:  fixed
 Keywords:               |
-------------------------+---------------------
Changes (by renodr):

 * priority:  normal => high


Comment:

 Checking my email this morning, I discovered that Jinja2-2.11.3 fixed a
 CVE. CVE-2020-28493 - I'll fill out the SA with the other two today
 (PostgreSQL / XTerm). I'll mark this one as Low / Medium severity

 {{{
 Arch Linux Security Advisory ASA-202102-19
 ==========================================

 Severity: Low
 Date    : 2021-02-07
 CVE-ID  : CVE-2020-28493
 Package : python-jinja
 Type    : denial of service
 Remote  : Yes
 Link    : https://security.archlinux.org/AVG-1523

 Summary
 =======

 The package python-jinja before version 2.11.3-1 is vulnerable to
 denial of service.

 Resolution
 ==========

 Upgrade to 2.11.3-1.

 # pacman -Syu "python-jinja>=2.11.3-1"

 The problem has been fixed upstream in version 2.11.3.

 Workaround
 ==========

 None.

 Description
 ===========

 A security issue was found in python-jinja before version 2.11.3. The
 regular expression denial of service vulnerability is mainly due to the
 sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated
 by Markdown to format user content instead of the urlize filter, or by
 implementing request timeouts and limiting process memory.

 Impact
 ======

 A remote user might cause a huge CPU utilization via specially crafted
 input.

 References
 ==========

 https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
 https://github.com/pallets/jinja/pull/1343
 
https://github.com/pallets/jinja/commit/ef658dc3b6389b091d608e710a810ce8b87995b3
 https://security.archlinux.org/CVE-2020-28493
 }}}

--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/14589#comment:4>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to