Security update for python-mistune SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0402-1 Final 1 1 2018-02-08T18:32:00Z current 2018-02-08T18:32:00Z 2018-02-08T18:32:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-mistune This update for python-mistune to version 0.8.3 fixes several issues. These security issues were fixed: - CVE-2017-16876: Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py allowed remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the 'key' argument (bsc#1072307). - CVE-2017-15612: Prevent XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions (bsc#1064640). These non-security issues were fixed: - Fix nested html issue - Fix _keyify with lower case. - Remove non breaking spaces preprocessing - Remove rev and rel attribute for footnotes - Fix escape_link method - Handle block HTML with no content - Use expandtabs for tab - Fix escape option for text renderer - Fix HTML attribute regex pattern - Fix strikethrough regex - Fix HTML attribute regex - Fix close tag regex - Fix hard_wrap options on renderer. - Fix emphasis regex pattern - Fix base64 image link - Fix link security per - Fix inline html when there is no content per The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2018-02/msg00030.html E-Mail link for openSUSE-SU-2018:0402-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 python-mistune-0.8.3-11.1 python3-mistune-0.8.3-9.1 python-mistune-0.8.3-11.1 as a component of openSUSE Leap 42.3 python3-mistune-0.8.3-9.1 as a component of openSUSE Leap 42.3 mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions. CVE-2017-15612 openSUSE Leap 42.3:python-mistune-0.8.3-11.1 openSUSE Leap 42.3:python3-mistune-0.8.3-9.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-02/msg00030.html https://www.suse.com/security/cve/CVE-2017-15612.html CVE-2017-15612 https://bugzilla.suse.com/1064640 SUSE Bug 1064640 Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument. CVE-2017-16876 openSUSE Leap 42.3:python-mistune-0.8.3-11.1 openSUSE Leap 42.3:python3-mistune-0.8.3-9.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-02/msg00030.html https://www.suse.com/security/cve/CVE-2017-16876.html CVE-2017-16876 https://bugzilla.suse.com/1072307 SUSE Bug 1072307