FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-18 11:12:36 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
3d19c776-68e7-11ea-91db-0050562a4d7b	www/py-bleach -- multiple vulnerabilities * ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS. Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS. * ``bleach.clean`` behavior parsing ``noscript`` tags did not match browser behavior. Calls to ``bleach.clean`` allowing ``noscript`` and one or more of the raw text tags (``title``, ``textarea``, ``script``, ``style``, ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable to a mutation XSS. Discovery 2020-02-13 Entry 2020-03-18 py27-bleach py35-bleach py36-bleach py37-bleach py38-bleach < 3.1.2 https://bugzilla.mozilla.org/show_bug.cgi?id=1615315 https://bugzilla.mozilla.org/show_bug.cgi?id=1621692
4c52ec3c-86f3-11ea-b5b4-641c67a117d8	py-bleach -- regular expression denial-of-service Bleach developers reports: bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}). Discovery 2019-03-09 Entry 2020-04-26 py27-bleach py35-bleach py36-bleach py37-bleach py38-bleach < 3.1.4 https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 CVE-2020-6817 ports/245943
e97a8852-32dd-4291-ba4d-92711daff056	py-bleach -- unsanitized character entities bleach developer reports: Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized. This security issue was introduced in Bleach 2.1. Anyone using Bleach 2.1 is highly encouraged to upgrade. Discovery 2018-03-05 Entry 2018-07-27 py27-bleach py36-bleach ge 2.1.0 lt 2.1.3 https://github.com/mozilla/bleach/blob/v2.1.3/CHANGES

VuXML ID

Description

3d19c776-68e7-11ea-91db-0050562a4d7b

www/py-bleach -- multiple vulnerabilities

* ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS.

Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS.

* ``bleach.clean`` behavior parsing ``noscript`` tags did not match browser behavior.

Calls to ``bleach.clean`` allowing ``noscript`` and one or more of the raw text tags (``title``, ``textarea``, ``script``, ``style``, ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable to a mutation XSS.

Discovery 2020-02-13
Entry 2020-03-18
py27-bleach
py35-bleach
py36-bleach
py37-bleach
py38-bleach

< 3.1.2

https://bugzilla.mozilla.org/show_bug.cgi?id=1615315
https://bugzilla.mozilla.org/show_bug.cgi?id=1621692

4c52ec3c-86f3-11ea-b5b4-641c67a117d8

py-bleach -- regular expression denial-of-service

Bleach developers reports:

bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).

Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

Discovery 2019-03-09
Entry 2020-04-26
py27-bleach
py35-bleach
py36-bleach
py37-bleach
py38-bleach

< 3.1.4

https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm
https://bugzilla.mozilla.org/show_bug.cgi?id=1623633
CVE-2020-6817
ports/245943

e97a8852-32dd-4291-ba4d-92711daff056

py-bleach -- unsanitized character entities

bleach developer reports:

Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.

This security issue was introduced in Bleach 2.1. Anyone using Bleach 2.1 is highly encouraged to upgrade.

Discovery 2018-03-05
Entry 2018-07-27
py27-bleach
py36-bleach

ge 2.1.0 lt 2.1.3

https://github.com/mozilla/bleach/blob/v2.1.3/CHANGES