python310-bleach-6.1.0-1.5 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14134-1 Final 1 1 2024-07-12T00:00:00Z current 2024-07-12T00:00:00Z 2024-07-12T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python310-bleach-6.1.0-1.5 on GA media These are all security issues fixed in the python310-bleach-6.1.0-1.5 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14134 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-7753/ SUSE CVE CVE-2018-7753 page https://www.suse.com/security/cve/CVE-2020-6802/ SUSE CVE CVE-2020-6802 page https://www.suse.com/security/cve/CVE-2020-6816/ SUSE CVE CVE-2020-6816 page https://www.suse.com/security/cve/CVE-2020-6817/ SUSE CVE CVE-2020-6817 page https://www.suse.com/security/cve/CVE-2021-23980/ SUSE CVE CVE-2021-23980 page openSUSE Tumbleweed python310-bleach-6.1.0-1.5 python311-bleach-6.1.0-1.5 python312-bleach-6.1.0-1.5 python310-bleach-6.1.0-1.5 as a component of openSUSE Tumbleweed python311-bleach-6.1.0-1.5 as a component of openSUSE Tumbleweed python312-bleach-6.1.0-1.5 as a component of openSUSE Tumbleweed An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized. CVE-2018-7753 openSUSE Tumbleweed:python310-bleach-6.1.0-1.5 openSUSE Tumbleweed:python311-bleach-6.1.0-1.5 openSUSE Tumbleweed:python312-bleach-6.1.0-1.5 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-7753.html CVE-2018-7753 https://bugzilla.suse.com/1085969 SUSE Bug 1085969 In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option. CVE-2020-6802 openSUSE Tumbleweed:python310-bleach-6.1.0-1.5 openSUSE Tumbleweed:python311-bleach-6.1.0-1.5 openSUSE Tumbleweed:python312-bleach-6.1.0-1.5 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6802.html CVE-2020-6802 https://bugzilla.suse.com/1165303 SUSE Bug 1165303 In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False. CVE-2020-6816 openSUSE Tumbleweed:python310-bleach-6.1.0-1.5 openSUSE Tumbleweed:python311-bleach-6.1.0-1.5 openSUSE Tumbleweed:python312-bleach-6.1.0-1.5 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6816.html CVE-2020-6816 https://bugzilla.suse.com/1167379 SUSE Bug 1167379 bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}). CVE-2020-6817 openSUSE Tumbleweed:python310-bleach-6.1.0-1.5 openSUSE Tumbleweed:python311-bleach-6.1.0-1.5 openSUSE Tumbleweed:python312-bleach-6.1.0-1.5 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6817.html CVE-2020-6817 https://bugzilla.suse.com/1168280 SUSE Bug 1168280 A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True. CVE-2021-23980 openSUSE Tumbleweed:python310-bleach-6.1.0-1.5 openSUSE Tumbleweed:python311-bleach-6.1.0-1.5 openSUSE Tumbleweed:python312-bleach-6.1.0-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23980.html CVE-2021-23980 https://bugzilla.suse.com/1184547 SUSE Bug 1184547