FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-bleach -- regular expression denial-of-service

Affected packages
py27-bleach < 3.1.4
py35-bleach < 3.1.4
py36-bleach < 3.1.4
py37-bleach < 3.1.4
py38-bleach < 3.1.4

Details

VuXML ID 4c52ec3c-86f3-11ea-b5b4-641c67a117d8
Discovery 2019-03-09
Entry 2020-04-26

Bleach developers reports:

bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).

Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

References

CVE Name CVE-2020-6817
FreeBSD PR ports/245943
URL https://bugzilla.mozilla.org/show_bug.cgi?id=1623633
URL https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm