Package: src:python-bleach Version: 3.1.2-0+deb10u1 Severity: important Tags: security
Once again with a python-bleach security issue... https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm Title regular expression denial-of-service (ReDoS) in BleachSanitizerFilter.sanitize_css gauntlet regular expression Impact bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}). Fixed In 3.1.4 Workarounds do not whitelist the style attribute in bleach.clean calls limit input string length References https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 https://www.regular-expressions.info/redos.html https://blog.r2c.dev/posts/finding-python-redos-bugs-at-scale-using-dlint-and-r2c/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6817