FreeBSD : py-bleach -- unsanitized character entities (e97a8852-32dd-4291-ba4d-92711daff056)

High Nessus Plugin ID 111409

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

bleach developer reports :

Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.

This security issue was introduced in Bleach 2.1. Anyone using Bleach 2.1 is highly encouraged to upgrade.

Solution

Update the affected packages.

See Also

https://github.com/mozilla/bleach/blob/v2.1.3/CHANGES

http://www.nessus.org/u?8a5097d2

Plugin Details

Severity: High

ID: 111409

File Name: freebsd_pkg_e97a885232dd4291ba4d92711daff056.nasl

Version: 1.2

Type: local

Published: 2018/07/30

Modified: 2018/11/10

Dependencies: 12634

Risk Information

Risk Factor: High

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:py27-bleach, p-cpe:/a:freebsd:freebsd:py36-bleach, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2018/07/27

Vulnerability Publication Date: 2018/03/05