Subject: CVS commit: pkgsrc/www/py-bleach
From: Adam Ciarcinski
Date: 2020-04-11 09:23:30
Message id: 20200411072330.65C05FB27@cvs.NetBSD.org
Log Message:
py-bleach: updated to 3.1.4

Version 3.1.4:

Security fixes

* ``bleach.clean`` behavior parsing style attributes could result in a
  regular expression denial of service (ReDoS).

  Calls to ``bleach.clean`` with an allowed tag with an allowed
  ``style`` attribute were vulnerable to ReDoS. For example,
  ``bleach.clean(..., attributes={'a': ['style']})``.

  This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1,
  v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar
  regular expression and should be considered vulnerable too.

  Anyone using Bleach <=v3.1.3 is encouraged to upgrade.

Backwards incompatible changes

* Style attributes with dashes, or single or double quoted values are
  cleaned instead of passed through.
Files:
RevisionActionfile
1.15modifypkgsrc/www/py-bleach/Makefile
1.13modifypkgsrc/www/py-bleach/distinfo