Date: Fri, 27 Jul 2018 13:37:27 +0000 (UTC) From: Steve Wills <swills@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r475440 - head/security/vuxml Message-ID: <201807271337.w6RDbRix065167@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: swills Date: Fri Jul 27 13:37:27 2018 New Revision: 475440 URL: https://svnweb.freebsd.org/changeset/ports/475440 Log: security/vuxml: document py-bleach issue PR: 226851 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Jul 27 13:15:55 2018 (r475439) +++ head/security/vuxml/vuln.xml Fri Jul 27 13:37:27 2018 (r475440) @@ -58,6 +58,37 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="e97a8852-32dd-4291-ba4d-92711daff056"> + <topic>py-bleach -- unsanitized character entities</topic> + <affects> + <package> + <name>py27-bleach</name> + <name>py36-bleach</name> + <range><ge>2.1.0</ge><lt>2.1.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>bleach developer reports:</p> + <blockquote cite="https://github.com/mozilla/bleach/blob/v2.1.3/CHANGES"> + <p>Attributes that have URI values weren't properly sanitized if the + values contained character entities. Using character entities, it + was possible to construct a URI value with a scheme that was not + allowed that would slide through unsanitized.</p> + <p>This security issue was introduced in Bleach 2.1. Anyone using + Bleach 2.1 is highly encouraged to upgrade.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/mozilla/bleach/blob/v2.1.3/CHANGES</url> + </references> + <dates> + <discovery>2018-03-05</discovery> + <entry>2018-07-27</entry> + </dates> + </vuln> + <vuln vid="07d04eef-d8e2-11e6-a071-001e67f15f5a"> <topic>lshell -- Shell autocomplete reveals forbidden directories</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201807271337.w6RDbRix065167>