py-bleach: updated to 3.1.4 Version 3.1.4: Security fixes * ``bleach.clean`` behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to ``bleach.clean`` with an allowed tag with an allowed ``style`` attribute were vulnerable to ReDoS. For example, ``bleach.clean(..., attributes={'a': ['style']})``. This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1, v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar regular expression and should be considered vulnerable too. Anyone using Bleach <=v3.1.3 is encouraged to upgrade. Backwards incompatible changes * Style attributes with dashes, or single or double quoted values are cleaned instead of passed through.diff -r1.14 -r1.15 pkgsrc/www/py-bleach/Makefile
(adam)
@@ -1,16 +1,16 @@ | @@ -1,16 +1,16 @@ | |||
1 | # $NetBSD: Makefile,v 1.14 2020/03/18 10:08:16 adam Exp $ | 1 | # $NetBSD: Makefile,v 1.15 2020/04/11 07:23:30 adam Exp $ | |
2 | 2 | |||
3 | DISTNAME= bleach-3.1.3 | 3 | DISTNAME= bleach-3.1.4 | |
4 | PKGNAME= ${PYPKGPREFIX}-${DISTNAME} | 4 | PKGNAME= ${PYPKGPREFIX}-${DISTNAME} | |
5 | CATEGORIES= www python | 5 | CATEGORIES= www python | |
6 | MASTER_SITES= ${MASTER_SITE_PYPI:=b/bleach/} | 6 | MASTER_SITES= ${MASTER_SITE_PYPI:=b/bleach/} | |
7 | 7 | |||
8 | MAINTAINER= ryoon@NetBSD.org | 8 | MAINTAINER= ryoon@NetBSD.org | |
9 | HOMEPAGE= https://github.com/mozilla/bleach | 9 | HOMEPAGE= https://github.com/mozilla/bleach | |
10 | COMMENT= Easy whitelist-based HTML-sanitizing tool | 10 | COMMENT= Easy whitelist-based HTML-sanitizing tool | |
11 | LICENSE= apache-2.0 | 11 | LICENSE= apache-2.0 | |
12 | 12 | |||
13 | DEPENDS+= ${PYPKGPREFIX}-six>=1.9:../../lang/py-six | 13 | DEPENDS+= ${PYPKGPREFIX}-six>=1.9:../../lang/py-six | |
14 | DEPENDS+= ${PYPKGPREFIX}-webencodings-[0-9]*:../../textproc/py-webencodings | 14 | DEPENDS+= ${PYPKGPREFIX}-webencodings-[0-9]*:../../textproc/py-webencodings | |
15 | BUILD_DEPENDS+= ${PYPKGPREFIX}-test-runner>=2.0:../../devel/py-test-runner | 15 | BUILD_DEPENDS+= ${PYPKGPREFIX}-test-runner>=2.0:../../devel/py-test-runner | |
16 | TEST_DEPENDS+= ${PYPKGPREFIX}-test>=3.0.0:../../devel/py-test | 16 | TEST_DEPENDS+= ${PYPKGPREFIX}-test>=3.0.0:../../devel/py-test |
@@ -1,6 +1,6 @@ | @@ -1,6 +1,6 @@ | |||
1 | $NetBSD: distinfo,v 1.12 2020/03/18 10:08:16 adam Exp $ | 1 | $NetBSD: distinfo,v 1.13 2020/04/11 07:23:30 adam Exp $ | |
2 | 2 | |||
3 | SHA1 (bleach-3.1.3.tar.gz) = 09306029c815f77e7685bacfbc01228e80d9b76d | 3 | SHA1 (bleach-3.1.4.tar.gz) = ce0937e304ddaad0a93bee5da3533c1440f3b525 | |
4 | RMD160 (bleach-3.1.3.tar.gz) = 6033fa4236a6c51ad107dae858a092dee88a15fb | 4 | RMD160 (bleach-3.1.4.tar.gz) = cddd93fba0cf2871778d14ef0e80604b4971ee70 | |
5 | SHA512 (bleach-3.1.3.tar.gz) = 6c46504833ac9aa83ea056b6a2970aa539774301b14b5f0d7ae5abb9576ace56b7e027b718159c8ed83d37ae78b4db1083eb12b1cafcff10429399025fb5ab4e | 5 | SHA512 (bleach-3.1.4.tar.gz) = da233794954aad4e63e334d3c3bab9089e7767e0d784b8c51d12d2862ac6ed73ad5122b4d9cfd291ba7d9fc86a4a3b515429d7e383f241a46e3290acefa2ffc6 | |
6 | Size (bleach-3.1.3.tar.gz) = 176601 bytes | 6 | Size (bleach-3.1.4.tar.gz) = 177813 bytes |