Hello community,
here is the log from the commit of package python-bleach for openSUSE:Factory
checked in at 2020-03-08 22:22:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-bleach (Old)
and /work/SRC/openSUSE:Factory/.python-bleach.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-bleach"
Sun Mar 8 22:22:00 2020 rev:8 rq:780475 version:3.1.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-bleach/python-bleach.changes
2019-07-30 13:02:45.638422088 +0200
+++ /work/SRC/openSUSE:Factory/.python-bleach.new.26092/python-bleach.changes
2020-03-08 22:22:02.591999930 +0100
@@ -1,0 +2,13 @@
+Fri Feb 28 16:13:43 UTC 2020 - Alexandros Toptsoglou <atoptsog...@suse.com>
+
+- Update to V3.1.1: Security update for CVE-2020-6802
+
+ * CVE-2020-6802: Fixed mutation XSS vulnerabilities (bsc#1165303).
+
+-------------------------------------------------------------------
+Wed Jan 8 10:35:41 CET 2020 - Matej Cepl <mc...@suse.com>
+
+- Switch off test_uri_value_allowed_protocols test to work around
+ gh#mozilla/bleach#503.
+
+-------------------------------------------------------------------
Old:
----
bleach-3.1.0.tar.gz
New:
----
bleach-3.1.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-bleach.spec ++++++
--- /var/tmp/diff_new_pack.tY5L92/_old 2020-03-08 22:22:03.280000354 +0100
+++ /var/tmp/diff_new_pack.tY5L92/_new 2020-03-08 22:22:03.284000357 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-bleach
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
# Copyright (c) 2015 LISA GmbH, Bingen, Germany.
#
# All modifications and additions to the file contributed by third parties
@@ -19,12 +19,12 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-bleach
-Version: 3.1.0
+Version: 3.1.1
Release: 0
Summary: A whitelist-based HTML-sanitizing tool
License: Apache-2.0
Group: Development/Languages/Python
-URL: http://github.com/jsocol/bleach
+URL: https://github.com/jsocol/bleach
Source:
https://files.pythonhosted.org/packages/source/b/bleach/bleach-%{version}.tar.gz
Patch0: de-vendor.patch
BuildRequires: %{python_module html5lib >= 1.0.0}
@@ -67,7 +67,8 @@
%python_expand %fdupes %{buildroot}%{$python_sitelib}
%check
-%pytest
+# gh#mozilla/bleach#503
+%pytest -k 'not test_uri_value_allowed_protocols'
%files %{python_files}
%license LICENSE
++++++ bleach-3.1.0.tar.gz -> bleach-3.1.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bleach-3.1.0/CHANGES new/bleach-3.1.1/CHANGES
--- old/bleach-3.1.0/CHANGES 2019-01-09 16:09:41.000000000 +0100
+++ new/bleach-3.1.1/CHANGES 2020-02-19 18:34:36.000000000 +0100
@@ -1,6 +1,41 @@
Bleach changes
==============
+Version 3.1.1 (February 13th, 2020)
+-----------------------------------
+
+**Security fixes**
+
+* ``bleach.clean`` behavior parsing ``noscript`` tags did not match
+ browser behavior.
+
+ Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
+ the raw text tags (``title``, ``textarea``, ``script``, ``style``,
+ ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
+ to a mutation XSS.
+
+ This security issue was confirmed in Bleach versions v2.1.4, v3.0.2,
+ and v3.1.0. Earlier versions are probably affected too.
+
+ Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.
+
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1615315
+
+**Backwards incompatible changes**
+
+None
+
+**Features**
+
+None
+
+**Bug fixes**
+
+None
+
+Bleach changes
+==============
+
Version 3.1.0 (January 9th, 2019)
---------------------------------
@@ -76,7 +111,7 @@
* Fix ``list`` object has no attribute ``lower`` in ``clean``. (#398)
* Fix ``abbr`` getting escaped in ``linkify``. (#400)
-
+
Version 3.0.0 (October 3rd, 2018)
---------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bleach-3.1.0/PKG-INFO new/bleach-3.1.1/PKG-INFO
--- old/bleach-3.1.0/PKG-INFO 2019-01-09 16:10:47.000000000 +0100
+++ new/bleach-3.1.1/PKG-INFO 2020-02-19 18:39:45.758497500 +0100
@@ -1,12 +1,11 @@
Metadata-Version: 1.2
Name: bleach
-Version: 3.1.0
+Version: 3.1.1
Summary: An easy safelist-based HTML-sanitizing tool.
Home-page: https://github.com/mozilla/bleach
-Author: Will Kahn-Greene
-Author-email: wil...@mozilla.com
+Maintainer: Will Kahn-Greene
+Maintainer-email: wil...@mozilla.com
License: Apache Software License
-Description-Content-Type: UNKNOWN
Description: ======
Bleach
======
@@ -129,6 +128,41 @@
Bleach changes
==============
+ Version 3.1.1 (February 13th, 2020)
+ -----------------------------------
+
+ **Security fixes**
+
+ * ``bleach.clean`` behavior parsing ``noscript`` tags did not match
+ browser behavior.
+
+ Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
+ the raw text tags (``title``, ``textarea``, ``script``, ``style``,
+ ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
+ to a mutation XSS.
+
+ This security issue was confirmed in Bleach versions v2.1.4, v3.0.2,
+ and v3.1.0. Earlier versions are probably affected too.
+
+ Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.
+
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1615315
+
+ **Backwards incompatible changes**
+
+ None
+
+ **Features**
+
+ None
+
+ **Bug fixes**
+
+ None
+
+ Bleach changes
+ ==============
+
Version 3.1.0 (January 9th, 2019)
---------------------------------
@@ -204,7 +238,7 @@
* Fix ``list`` object has no attribute ``lower`` in ``clean``. (#398)
* Fix ``abbr`` getting escaped in ``linkify``. (#400)
-
+
Version 3.0.0 (October 3rd, 2018)
---------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bleach-3.1.0/bleach/__init__.py
new/bleach-3.1.1/bleach/__init__.py
--- old/bleach-3.1.0/bleach/__init__.py 2019-01-09 16:09:41.000000000 +0100
+++ new/bleach-3.1.1/bleach/__init__.py 2020-02-19 18:34:36.000000000 +0100
@@ -18,9 +18,9 @@
# yyyymmdd
-__releasedate__ = '20190109'
+__releasedate__ = '20200213'
# x.y.z or x.y.z.dev0 -- semver
-__version__ = '3.1.0'
+__version__ = '3.1.1'
VERSION = parse_version(__version__)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bleach-3.1.0/bleach/html5lib_shim.py
new/bleach-3.1.1/bleach/html5lib_shim.py
--- old/bleach-3.1.0/bleach/html5lib_shim.py 2019-01-08 18:00:43.000000000
+0100
+++ new/bleach-3.1.1/bleach/html5lib_shim.py 2020-02-19 18:34:36.000000000
+0100
@@ -376,7 +376,12 @@
self.consume_entities = consume_entities
super(BleachHTMLParser, self).__init__(**kwargs)
- def _parse(self, stream, innerHTML=False, container='div',
scripting=False, **kwargs):
+ def _parse(self, stream, innerHTML=False, container='div', scripting=True,
**kwargs):
+ # set scripting=True to parse <noscript> as though JS is enabled to
+ # match the expected context in browsers
+ #
+ #
https://html.spec.whatwg.org/multipage/scripting.html#the-noscript-element
+ #
# Override HTMLParser so we can swap out the tokenizer for our own.
self.innerHTMLMode = innerHTML
self.container = container
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bleach-3.1.0/bleach.egg-info/PKG-INFO
new/bleach-3.1.1/bleach.egg-info/PKG-INFO
--- old/bleach-3.1.0/bleach.egg-info/PKG-INFO 2019-01-09 16:10:47.000000000
+0100
+++ new/bleach-3.1.1/bleach.egg-info/PKG-INFO 2020-02-19 18:39:45.000000000
+0100
@@ -1,12 +1,11 @@
Metadata-Version: 1.2
Name: bleach
-Version: 3.1.0
+Version: 3.1.1
Summary: An easy safelist-based HTML-sanitizing tool.
Home-page: https://github.com/mozilla/bleach
-Author: Will Kahn-Greene
-Author-email: wil...@mozilla.com
+Maintainer: Will Kahn-Greene
+Maintainer-email: wil...@mozilla.com
License: Apache Software License
-Description-Content-Type: UNKNOWN
Description: ======
Bleach
======
@@ -129,6 +128,41 @@
Bleach changes
==============
+ Version 3.1.1 (February 13th, 2020)
+ -----------------------------------
+
+ **Security fixes**
+
+ * ``bleach.clean`` behavior parsing ``noscript`` tags did not match
+ browser behavior.
+
+ Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
+ the raw text tags (``title``, ``textarea``, ``script``, ``style``,
+ ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
+ to a mutation XSS.
+
+ This security issue was confirmed in Bleach versions v2.1.4, v3.0.2,
+ and v3.1.0. Earlier versions are probably affected too.
+
+ Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.
+
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1615315
+
+ **Backwards incompatible changes**
+
+ None
+
+ **Features**
+
+ None
+
+ **Bug fixes**
+
+ None
+
+ Bleach changes
+ ==============
+
Version 3.1.0 (January 9th, 2019)
---------------------------------
@@ -204,7 +238,7 @@
* Fix ``list`` object has no attribute ``lower`` in ``clean``. (#398)
* Fix ``abbr`` getting escaped in ``linkify``. (#400)
-
+
Version 3.0.0 (October 3rd, 2018)
---------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bleach-3.1.0/tests/test_clean.py
new/bleach-3.1.1/tests/test_clean.py
--- old/bleach-3.1.0/tests/test_clean.py 2018-12-13 01:37:47.000000000
+0100
+++ new/bleach-3.1.1/tests/test_clean.py 2020-02-19 18:34:36.000000000
+0100
@@ -769,6 +769,34 @@
assert clean('<d {c}>') == '<d {c}>'
+# tags that get content passed through (i.e. parsed with parseRCDataRawtext)
+_raw_tags = [
+ "title",
+ "textarea",
+ "script",
+ "style",
+ "noembed",
+ "noframes",
+ "iframe",
+ "xmp",
+]
+
+@pytest.mark.parametrize(
+ "raw_tag, data, expected",
+ [
+ (
+ raw_tag,
+ "<noscript><%s></noscript><img src=x onerror=alert(1) />" %
raw_tag,
+ "<noscript><%s></noscript><img src=x onerror=alert(1) />" %
raw_tag,
+ )
+ for raw_tag in _raw_tags
+ ],
+)
+def test_noscript_rawtag_(raw_tag, data, expected):
+ # refs: bug 1615315 / GHSA-q65m-pv3f-wr5r
+ assert clean(data, tags=["noscript", raw_tag]) == expected
+
+
def get_ids_and_tests():
"""Retrieves regression tests from data/ directory
