1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-19 03:52:17 +00:00

security/vuxml: document py-bleach issue

PR:		226851
This commit is contained in:
Steve Wills 2018-07-27 13:37:27 +00:00
parent d21a40b927
commit ddb9b76c52
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=475440

View File

@ -58,6 +58,37 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="e97a8852-32dd-4291-ba4d-92711daff056">
<topic>py-bleach -- unsanitized character entities</topic>
<affects>
<package>
<name>py27-bleach</name>
<name>py36-bleach</name>
<range><ge>2.1.0</ge><lt>2.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>bleach developer reports:</p>
<blockquote cite="https://github.com/mozilla/bleach/blob/v2.1.3/CHANGES">
<p>Attributes that have URI values weren't properly sanitized if the
values contained character entities. Using character entities, it
was possible to construct a URI value with a scheme that was not
allowed that would slide through unsanitized.</p>
<p>This security issue was introduced in Bleach 2.1. Anyone using
Bleach 2.1 is highly encouraged to upgrade.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/mozilla/bleach/blob/v2.1.3/CHANGES</url>
</references>
<dates>
<discovery>2018-03-05</discovery>
<entry>2018-07-27</entry>
</dates>
</vuln>
<vuln vid="07d04eef-d8e2-11e6-a071-001e67f15f5a">
<topic>lshell -- Shell autocomplete reveals forbidden directories</topic>
<affects>