[Python-modules-team] Bug#955388: marked as done (src:python-bleach: Regular expression denial of service (CVE-2020-6817))

Mon, 30 Mar 2020 17:09:20 -0700 

Your message dated Tue, 31 Mar 2020 00:07:26 +0000
with message-id <[email protected]>
and subject line Bug#955388: fixed in python-bleach 3.1.4-1
has caused the Debian Bug report #955388,
regarding src:python-bleach: Regular expression denial of service 
(CVE-2020-6817)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
955388: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955388
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: src:python-bleach
Version: 3.1.2-0+deb10u1
Severity: important
Tags: security

Once again with a python-bleach security issue...

https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm

Title
regular expression denial-of-service (ReDoS) in 
BleachSanitizerFilter.sanitize_css gauntlet regular expression

Impact

bleach.clean behavior parsing style attributes could result in a regular 
expression denial of service (ReDoS).

Calls to bleach.clean with an allowed tag with an allowed style attribute are 
vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': 
['style']}).

Fixed In

3.1.4

Workarounds

    do not whitelist the style attribute in bleach.clean calls

    limit input string length

References

    https://bugzilla.mozilla.org/show_bug.cgi?id=1623633
    https://www.regular-expressions.info/redos.html
    
https://blog.r2c.dev/posts/finding-python-redos-bugs-at-scale-using-dlint-and-r2c/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6817

--- End Message ---
--- Begin Message --- 
Source: python-bleach
Source-Version: 3.1.4-1
Done: Scott Kitterman <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-bleach, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Kitterman <[email protected]> (supplier of updated python-bleach 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Mar 2020 19:48:37 -0400
Source: python-bleach
Architecture: source
Version: 3.1.4-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Modules Team 
<[email protected]>
Changed-By: Scott Kitterman <[email protected]>
Closes: 955388
Changes:
 python-bleach (3.1.4-1) unstable; urgency=high
 .
   * New upstream security release (CVE-2020-6817) (Closes: #955388)
Checksums-Sha1:
 1c255389911c06c7ff4dd8d3d516555f3eadc6f4 2521 python-bleach_3.1.4-1.dsc
 81857ab4d095a4af02ecb9eca8e9889b93cd0b98 161807 python-bleach_3.1.4.orig.tar.gz
 9908107b69bba188f403e9a7b56afebfe42e29e3 5260 
python-bleach_3.1.4-1.debian.tar.xz
 d2d429f7ec45a324e8b8a5c6011153de1e29c848 6225 
python-bleach_3.1.4-1_source.buildinfo
Checksums-Sha256:
 7b19559e0dfac3070b4b20d20b142400d5863217dd84a405489f214fea56a1d5 2521 
python-bleach_3.1.4-1.dsc
 436cbe96fe181355607523286b62b4fa836018b524aa815983639190bdd2883b 161807 
python-bleach_3.1.4.orig.tar.gz
 33f678b95ad9c88f47a2dbfe347b1befea64146ab4a6aa5f3bc268323da38075 5260 
python-bleach_3.1.4-1.debian.tar.xz
 c8ff1c6fd45a7af810e67a0f4e20dbe7637fef7d9eeebbf5d11e0bd014a382d7 6225 
python-bleach_3.1.4-1_source.buildinfo
Files:
 cc69aaf3d43046b86e59acf1a3674835 2521 python optional python-bleach_3.1.4-1.dsc
 6889c40c41c625053bd49c2fb240a42b 161807 python optional 
python-bleach_3.1.4.orig.tar.gz
 e0bef5fa2f71b3fd5fd97466dc894c8b 5260 python optional 
python-bleach_3.1.4-1.debian.tar.xz
 59c07e6fe13872bf06b3145dc3af537c 6225 python optional 
python-bleach_3.1.4-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAl6CheQACgkQeNfe+5rV
mvHWVRAApHFRszTZQt5f2+YKYUE7FQdPuVYis6tADEkog5w9TMKanIcXbsgtu7YB
1Jv2jMrDU77qijJV4Nsfps5bdtAjXfsp0vFUOQ38XMUeH9XLNaJnbtteCB9K1cBU
OdjUBkLRTtnwCxCnSCRfU9MF5UBO2Lm9t8NfzXQ2nP8M3iXpLWsbQSYXqcSCcJEp
9/K6e1+AbbwQqx4Shcx5/SFz3L7GCpMFEz0xAdYivD6D/gYJBH3erpSne5NX8h8m
7Wb413gi9GIGpeYido3ncQTZsmG9aHununm2RGCbLs6HFQRY3ZGLMgnR6Kxw4IV1
CEvUmeqgBn7LUi5M+AceYHzm5V8BOGglSps/BLbqCp82qYodKuqpjJA134eaFFN2
tnsEbb48NN0zlT9/EeuCAAMmyf0UEqal2NLh7N1MK7PSpTXB3PKFZ+QfYSz7CJAb
n3sCXunWWXRHCVqwN6/VbsmUtuw1xiT394V9XS7klJPJn3b4lp+rE1O/X8YVDqLH
k8T+q0MYjIANW8yTnxJ5YU5buNslWwGLK+0YATPPrubj1Y5fH+HS1NAYMO44l3Xj
fiKdYWqTjbBJnKf2VI4g1n5zcX9i7g/R0EqHAzxA7wNc5DQIvNTzIfgG9SIlVv1E
m+52DRKjOh3EwV7rgR4YZWnfdLZFmJ9ysvkVhUpAmJDct4YCRR4=
=cjRI
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team

Reply via email to