From ${URL} : mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions. Pull request: https://github.com/lepture/mistune/pull/140 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
A fix for CVE-2017-15612 is contained in upstream's 0.8 version release. Please bump the package to the latest version as it contains additional security fixes. https://github.com/lepture/mistune/blob/master/CHANGES.rst
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0fe68a60852a6935b9d93bca2c5708409f963d3e commit 0fe68a60852a6935b9d93bca2c5708409f963d3e Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-09-19 15:24:32 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-09-19 15:24:32 +0000 dev-python/mistune: vump to 0.8.3 Bug: https://bugs.gentoo.org/639298 Bug: https://bugs.gentoo.org/635270 Package-Manager: Portage-2.3.49, Repoman-2.3.10 dev-python/mistune/Manifest | 1 + dev-python/mistune/mistune-0.8.3.ebuild | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+)
Bump made. amd64, x86, arm, please stabilize dev-python/mistune-0.8.3.
amd64 stable
x86 stable
arm stable, all arches done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d0b4149e7c9f43f38a7174ca5c0f9113a2d24b2 commit 7d0b4149e7c9f43f38a7174ca5c0f9113a2d24b2 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-09-24 18:20:51 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-09-24 18:20:51 +0000 dev-python/mistune: remove old and vulnerable Bug: https://bugs.gentoo.org/635270 Package-Manager: Portage-2.3.49, Repoman-2.3.10 dev-python/mistune/Manifest | 2 -- dev-python/mistune/mistune-0.7.2.ebuild | 28 ---------------------------- dev-python/mistune/mistune-0.7.4.ebuild | 28 ---------------------------- 3 files changed, 58 deletions(-)
Cleanup done.
GLSA Vote: No. Repository is clean, all done.