Sat Apr 11 07:23:30 2020 UTC ()
py-bleach: updated to 3.1.4

Version 3.1.4:

Security fixes

* ``bleach.clean`` behavior parsing style attributes could result in a
  regular expression denial of service (ReDoS).

  Calls to ``bleach.clean`` with an allowed tag with an allowed
  ``style`` attribute were vulnerable to ReDoS. For example,
  ``bleach.clean(..., attributes={'a': ['style']})``.

  This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1,
  v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar
  regular expression and should be considered vulnerable too.

  Anyone using Bleach <=v3.1.3 is encouraged to upgrade.

Backwards incompatible changes

* Style attributes with dashes, or single or double quoted values are
  cleaned instead of passed through.


(adam)
diff -r1.14 -r1.15 pkgsrc/www/py-bleach/Makefile
diff -r1.12 -r1.13 pkgsrc/www/py-bleach/distinfo
cvs diff -r1.14 -r1.15 pkgsrc/www/py-bleach/Makefile (expand / switch to unified diff)

--- pkgsrc/www/py-bleach/Makefile 2020/03/18 10:08:16 1.14
+++ pkgsrc/www/py-bleach/Makefile 2020/04/11 07:23:30 1.15
@@ -1,16 +1,16 @@ @@ -1,16 +1,16 @@
1# $NetBSD: Makefile,v 1.14 2020/03/18 10:08:16 adam Exp $ 1# $NetBSD: Makefile,v 1.15 2020/04/11 07:23:30 adam Exp $
2 2
3DISTNAME= bleach-3.1.3 3DISTNAME= bleach-3.1.4
4PKGNAME= ${PYPKGPREFIX}-${DISTNAME} 4PKGNAME= ${PYPKGPREFIX}-${DISTNAME}
5CATEGORIES= www python 5CATEGORIES= www python
6MASTER_SITES= ${MASTER_SITE_PYPI:=b/bleach/} 6MASTER_SITES= ${MASTER_SITE_PYPI:=b/bleach/}
7 7
8MAINTAINER= ryoon@NetBSD.org 8MAINTAINER= ryoon@NetBSD.org
9HOMEPAGE= https://github.com/mozilla/bleach 9HOMEPAGE= https://github.com/mozilla/bleach
10COMMENT= Easy whitelist-based HTML-sanitizing tool 10COMMENT= Easy whitelist-based HTML-sanitizing tool
11LICENSE= apache-2.0 11LICENSE= apache-2.0
12 12
13DEPENDS+= ${PYPKGPREFIX}-six>=1.9:../../lang/py-six 13DEPENDS+= ${PYPKGPREFIX}-six>=1.9:../../lang/py-six
14DEPENDS+= ${PYPKGPREFIX}-webencodings-[0-9]*:../../textproc/py-webencodings 14DEPENDS+= ${PYPKGPREFIX}-webencodings-[0-9]*:../../textproc/py-webencodings
15BUILD_DEPENDS+= ${PYPKGPREFIX}-test-runner>=2.0:../../devel/py-test-runner 15BUILD_DEPENDS+= ${PYPKGPREFIX}-test-runner>=2.0:../../devel/py-test-runner
16TEST_DEPENDS+= ${PYPKGPREFIX}-test>=3.0.0:../../devel/py-test 16TEST_DEPENDS+= ${PYPKGPREFIX}-test>=3.0.0:../../devel/py-test
cvs diff -r1.12 -r1.13 pkgsrc/www/py-bleach/distinfo (expand / switch to unified diff)

--- pkgsrc/www/py-bleach/distinfo 2020/03/18 10:08:16 1.12
+++ pkgsrc/www/py-bleach/distinfo 2020/04/11 07:23:30 1.13
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
1$NetBSD: distinfo,v 1.12 2020/03/18 10:08:16 adam Exp $ 1$NetBSD: distinfo,v 1.13 2020/04/11 07:23:30 adam Exp $
2 2
3SHA1 (bleach-3.1.3.tar.gz) = 09306029c815f77e7685bacfbc01228e80d9b76d 3SHA1 (bleach-3.1.4.tar.gz) = ce0937e304ddaad0a93bee5da3533c1440f3b525
4RMD160 (bleach-3.1.3.tar.gz) = 6033fa4236a6c51ad107dae858a092dee88a15fb 4RMD160 (bleach-3.1.4.tar.gz) = cddd93fba0cf2871778d14ef0e80604b4971ee70
5SHA512 (bleach-3.1.3.tar.gz) = 6c46504833ac9aa83ea056b6a2970aa539774301b14b5f0d7ae5abb9576ace56b7e027b718159c8ed83d37ae78b4db1083eb12b1cafcff10429399025fb5ab4e 5SHA512 (bleach-3.1.4.tar.gz) = da233794954aad4e63e334d3c3bab9089e7767e0d784b8c51d12d2862ac6ed73ad5122b4d9cfd291ba7d9fc86a4a3b515429d7e383f241a46e3290acefa2ffc6
6Size (bleach-3.1.3.tar.gz) = 176601 bytes 6Size (bleach-3.1.4.tar.gz) = 177813 bytes