-
-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
quoted sections in tag not grouped correctly #366
Comments
Mike Bayer has proposed a fix for this issue in the main branch: fix tag regexp to match quoted groups correctly https://gerrit.sqlalchemy.org/c/sqlalchemy/mako/+/4053 |
zzzeek
changed the title
issue placeholder
quoted sections in tag not grouped correctly
Aug 29, 2022
jbmchuck
added a commit
to tableau/altimeter
that referenced
this issue
Sep 16, 2022
jbmchuck
added a commit
to tableau/altimeter
that referenced
this issue
Sep 16, 2022
sbrunner
added a commit
to camptocamp/shared_config_manager
that referenced
this issue
Sep 28, 2022
+==============================================================================+ VULNERABILITIES FOUND +==============================================================================+ -> Vulnerability found in lxml version 4.8.0 Vulnerability ID: 50748 Affected spec: <4.9.1 ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application... CVE-2022-2309 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-2309/50748/ -> Vulnerability found in mako version 1.1.6 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49755 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions prior to 5.4.0 an error occurring while reallocating a buffer for string... CVE-2022-31117 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31117/49755/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49754 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect handling of invalid surrogate pair... CVE-2022-31116 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this issue
Sep 30, 2022
-> Vulnerability found in mako version 1.0.9 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/ Ignore CVE Title: [1084602] Arbitrary Code Execution in underscore Severity: critical CWE: CWE-94 Vulnerable versions: >=1.3.2 <1.12.1 Patched versions: >=1.12.1 Recommendation: Upgrade to version 1.12.1 or later Version: 1.6.0 Path: openlayers > nomnom > underscore More info: GHSA-cf4h-3jhx-xvhq
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this issue
Sep 30, 2022
-> Vulnerability found in mako version 1.1.2 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this issue
Sep 30, 2022
-> Vulnerability found in mako version 1.0.9 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/ Ignore CVE Title: [1084602] Arbitrary Code Execution in underscore Severity: critical CWE: CWE-94 Vulnerable versions: >=1.3.2 <1.12.1 Patched versions: >=1.12.1 Recommendation: Upgrade to version 1.12.1 or later Version: 1.6.0 Path: openlayers > nomnom > underscore More info: GHSA-cf4h-3jhx-xvhq
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this issue
Sep 30, 2022
-> Vulnerability found in lxml version 4.6.5 Vulnerability ID: 50748 Affected spec: <4.9.1 ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application... CVE-2022-2309 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-2309/50748/ -> Vulnerability found in mako version 1.1.4 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49755 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions prior to 5.4.0 an error occurring while reallocating a buffer for string... CVE-2022-31117 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31117/49755/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49754 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect handling of invalid surrogate pair... CVE-2022-31116 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this issue
Sep 30, 2022
-> Vulnerability found in lxml version 4.8.0 Vulnerability ID: 50748 Affected spec: <4.9.1 ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application... CVE-2022-2309 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-2309/50748/ -> Vulnerability found in mako version 1.2.0 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49755 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions prior to 5.4.0 an error occurring while reallocating a buffer for string... CVE-2022-31117 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31117/49755/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49754 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect handling of invalid surrogate pair... CVE-2022-31116 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this issue
Sep 30, 2022
-> Vulnerability found in mako version 1.0.9 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/ Title: [1084602] Arbitrary Code Execution in underscore Severity: critical CWE: CWE-94 Vulnerable versions: >=1.3.2 <1.12.1 Patched versions: >=1.12.1 Recommendation: Upgrade to version 1.12.1 or later Version: 1.6.0 Path: openlayers > nomnom > underscore More info: GHSA-cf4h-3jhx-xvhq
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this issue
Sep 30, 2022
-> Vulnerability found in mako version 1.1.2 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner
added a commit
to camptocamp/tilecloud-chain
that referenced
this issue
Sep 30, 2022
-> Vulnerability found in mako version 1.1.3 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner
added a commit
to camptocamp/mapfish-print-logs
that referenced
this issue
Sep 30, 2022
-> Vulnerability found in lxml version 4.6.5 Vulnerability ID: 50748 Affected spec: <4.9.1 ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application... CVE-2022-2309 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-2309/50748/ -> Vulnerability found in mako version 1.1.3 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner
added a commit
to camptocamp/mapfish-print-logs
that referenced
this issue
Sep 30, 2022
-> Vulnerability found in lxml version 4.6.5 Vulnerability ID: 50748 Affected spec: <4.9.1 ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application... CVE-2022-2309 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-2309/50748/ -> Vulnerability found in mako version 1.1.3 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner
added a commit
to camptocamp/mapfish-print-logs
that referenced
this issue
Sep 30, 2022
-> Vulnerability found in lxml version 4.6.5 Vulnerability ID: 50748 Affected spec: <4.9.1 ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application... CVE-2022-2309 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-2309/50748/ -> Vulnerability found in mako version 1.1.3 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this issue
Sep 30, 2022
-> Vulnerability found in lxml version 4.6.5 Vulnerability ID: 50748 Affected spec: <4.9.1 ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application... CVE-2022-2309 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-2309/50748/ -> Vulnerability found in mako version 1.1.4 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49755 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions prior to 5.4.0 an error occurring while reallocating a buffer for string... CVE-2022-31117 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31117/49755/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49754 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect handling of invalid surrogate pair... CVE-2022-31116 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner
added a commit
to camptocamp/ngeo
that referenced
this issue
Oct 3, 2022
-> Vulnerability found in mako version 1.0.9 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
Merged
sbrunner
added a commit
to camptocamp/ngeo
that referenced
this issue
Oct 3, 2022
Title: [1084344] jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label Severity: moderate CWE: CWE-79 Vulnerable versions: <1.13.2 Patched versions: >=1.13.2 Recommendation: Upgrade to version 1.13.2 or later Version: 1.13.0 Path: jquery-ui More info: GHSA-h6gj-6jjq-h8g9 -> Vulnerability found in mako version 1.1.2 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
Closed
sbrunner
added a commit
to camptocamp/ngeo
that referenced
this issue
Oct 3, 2022
-> Vulnerability found in mako version 1.1.4 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
Merged
sbrunner
added a commit
to camptocamp/ngeo
that referenced
this issue
Oct 3, 2022
-> Vulnerability found in mako version 1.0.9 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner
added a commit
to camptocamp/c2cwsgiutils
that referenced
this issue
Oct 3, 2022
-> Vulnerability found in lxml version 4.6.5 Vulnerability ID: 50748 Affected spec: <4.9.1 ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application... CVE-2022-2309 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-2309/50748/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49755 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions prior to 5.4.0 an error occurring while reallocating a buffer for string... CVE-2022-31117 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31117/49755/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49754 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect handling of invalid surrogate pair... CVE-2022-31116 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31116/49754/ -> Vulnerability found in mako version 1.1.2 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner
added a commit
to camptocamp/c2cwsgiutils
that referenced
this issue
Oct 3, 2022
-> Vulnerability found in lxml version 4.7.1 Vulnerability ID: 50748 Affected spec: <4.9.1 ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application... CVE-2022-2309 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-2309/50748/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49755 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions prior to 5.4.0 an error occurring while reallocating a buffer for string... CVE-2022-31117 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31117/49755/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49754 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect handling of invalid surrogate pair... CVE-2022-31116 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31116/49754/ -> Vulnerability found in mako version 1.1.6 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this issue
Oct 4, 2022
-> Vulnerability found in lxml version 4.6.5 Vulnerability ID: 50748 Affected spec: <4.9.1 ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application... CVE-2022-2309 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-2309/50748/ -> Vulnerability found in mako version 1.1.4 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49755 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions prior to 5.4.0 an error occurring while reallocating a buffer for string... CVE-2022-31117 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31117/49755/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49754 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect handling of invalid surrogate pair... CVE-2022-31116 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this issue
Oct 6, 2022
-> Vulnerability found in lxml version 4.8.0 Vulnerability ID: 50748 Affected spec: <4.9.1 ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application... CVE-2022-2309 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-2309/50748/ -> Vulnerability found in mako version 1.2.0 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49755 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions prior to 5.4.0 an error occurring while reallocating a buffer for string... CVE-2022-31117 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31117/49755/ -> Vulnerability found in ujson version 5.2.0 Vulnerability ID: 49754 Affected spec: <5.4.0 ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect handling of invalid surrogate pair... CVE-2022-31116 For more information, please visit https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this issue
Oct 6, 2022
Title: [1084602] Arbitrary Code Execution in underscore Severity: critical CWE: CWE-94 Vulnerable versions: >=1.3.2 <1.12.1 Patched versions: >=1.12.1 Recommendation: Upgrade to version 1.12.1 or later Version: 1.6.0 Path: openlayers > nomnom > underscore More info: GHSA-cf4h-3jhx-xvhq -> Vulnerability found in mako version 1.0.9 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this issue
Oct 7, 2022
-> Vulnerability found in mako version 1.1.2 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this issue
Oct 7, 2022
-> Vulnerability found in mako version 1.1.2 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner
added a commit
to camptocamp/c2cwsgiutils
that referenced
this issue
Oct 19, 2022
-> Vulnerability found in mako version 1.1.6 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/ -> Vulnerability found in urllib3 version 1.24.3 Vulnerability ID: 38834 Affected spec: <1.25.9 ADVISORY: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF... CVE-2020-26137 For more information, please visit https://pyup.io/vulnerabilities/CVE-2020-26137/38834/ -> Vulnerability found in urllib3 version 1.24.3 Vulnerability ID: 43975 Affected spec: <1.26.5 ADVISORY: Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in urllib3 before 1.26.5. When provided with a URL... CVE-2021-33503 For more information, please visit https://pyup.io/vulnerabilities/CVE-2021-33503/43975/
sbrunner
added a commit
to camptocamp/c2cwsgiutils
that referenced
this issue
Oct 19, 2022
-> Vulnerability found in mako version 1.1.6 Vulnerability ID: 50870 Affected spec: <1.2.2 ADVISORY: Mako 1.2.2 includes a fix for a REDoS vulnerability.sqlalchemy/mako#366 PVE-2022-50870 For more information, please visit https://pyup.io/vulnerabilities/PVE-2022-50870/50870/ -> Vulnerability found in urllib3 version 1.24.3 Vulnerability ID: 38834 Affected spec: <1.25.9 ADVISORY: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF... CVE-2020-26137 For more information, please visit https://pyup.io/vulnerabilities/CVE-2020-26137/38834/ -> Vulnerability found in urllib3 version 1.24.3 Vulnerability ID: 43975 Affected spec: <1.26.5 ADVISORY: Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in urllib3 before 1.26.5. When provided with a URL... CVE-2021-33503 For more information, please visit https://pyup.io/vulnerabilities/CVE-2021-33503/43975/
rpurdie
pushed a commit
to yoctoproject/poky
that referenced
this issue
Nov 1, 2022
Released: Thu Sep 22 2022 * bug - [bug] [lexer] * Fixed issue in lexer in the same category as that of #366 where the regexp used to match an end tag didn’t correctly organize for matching characters surrounded by whitespace, leading to high memory / interpreter hang if a closing tag incorrectly had a large amount of unterminated space in it. Credit to Sebastian Chnelik for locating the issue. As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is never appropriate to create templates that contain untrusted input. References: #367 [1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3 [2] sqlalchemy/mako#366 [3] sqlalchemy/mako#367 (From OE-Core rev: c927983ba7af9895e550018476759dd12fa90452) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this issue
Nov 1, 2022
Released: Thu Sep 22 2022 * bug - [bug] [lexer] * Fixed issue in lexer in the same category as that of #366 where the regexp used to match an end tag didn’t correctly organize for matching characters surrounded by whitespace, leading to high memory / interpreter hang if a closing tag incorrectly had a large amount of unterminated space in it. Credit to Sebastian Chnelik for locating the issue. As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is never appropriate to create templates that contain untrusted input. References: #367 [1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3 [2] sqlalchemy/mako#366 [3] sqlalchemy/mako#367 Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rpurdie
pushed a commit
to yoctoproject/poky
that referenced
this issue
Nov 1, 2022
Released: Thu Sep 22 2022 * bug - [bug] [lexer] * Fixed issue in lexer in the same category as that of #366 where the regexp used to match an end tag didn’t correctly organize for matching characters surrounded by whitespace, leading to high memory / interpreter hang if a closing tag incorrectly had a large amount of unterminated space in it. Credit to Sebastian Chnelik for locating the issue. As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is never appropriate to create templates that contain untrusted input. References: #367 [1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3 [2] sqlalchemy/mako#366 [3] sqlalchemy/mako#367 (From OE-Core rev: 6e1c50a131429cb5cc7b86ea5765c85850f97446) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this issue
Nov 1, 2022
Released: Thu Sep 22 2022 * bug - [bug] [lexer] * Fixed issue in lexer in the same category as that of #366 where the regexp used to match an end tag didn’t correctly organize for matching characters surrounded by whitespace, leading to high memory / interpreter hang if a closing tag incorrectly had a large amount of unterminated space in it. Credit to Sebastian Chnelik for locating the issue. As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is never appropriate to create templates that contain untrusted input. References: #367 [1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3 [2] sqlalchemy/mako#366 [3] sqlalchemy/mako#367 Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rpurdie
pushed a commit
to yoctoproject/poky
that referenced
this issue
Nov 2, 2022
Released: Thu Sep 22 2022 * bug - [bug] [lexer] * Fixed issue in lexer in the same category as that of #366 where the regexp used to match an end tag didn’t correctly organize for matching characters surrounded by whitespace, leading to high memory / interpreter hang if a closing tag incorrectly had a large amount of unterminated space in it. Credit to Sebastian Chnelik for locating the issue. As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is never appropriate to create templates that contain untrusted input. References: #367 [1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3 [2] sqlalchemy/mako#366 [3] sqlalchemy/mako#367 (From OE-Core rev: 49ad6f031458e1f48f24547dc88e41abc4ec41a6) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this issue
Nov 2, 2022
Released: Thu Sep 22 2022 * bug - [bug] [lexer] * Fixed issue in lexer in the same category as that of #366 where the regexp used to match an end tag didn’t correctly organize for matching characters surrounded by whitespace, leading to high memory / interpreter hang if a closing tag incorrectly had a large amount of unterminated space in it. Credit to Sebastian Chnelik for locating the issue. As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is never appropriate to create templates that contain untrusted input. References: #367 [1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3 [2] sqlalchemy/mako#366 [3] sqlalchemy/mako#367 Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
kraj
pushed a commit
to YoeDistro/poky
that referenced
this issue
Nov 2, 2022
Released: Thu Sep 22 2022 * bug - [bug] [lexer] * Fixed issue in lexer in the same category as that of #366 where the regexp used to match an end tag didn’t correctly organize for matching characters surrounded by whitespace, leading to high memory / interpreter hang if a closing tag incorrectly had a large amount of unterminated space in it. Credit to Sebastian Chnelik for locating the issue. As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is never appropriate to create templates that contain untrusted input. References: #367 [1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3 [2] sqlalchemy/mako#366 [3] sqlalchemy/mako#367 (From OE-Core rev: a32dae12a9beeb5e9d74cd07f8595d0a4bda1850) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this issue
Nov 24, 2022
Released: Thu Sep 22 2022 * bug - [bug] [lexer] * Fixed issue in lexer in the same category as that of #366 where the regexp used to match an end tag didn’t correctly organize for matching characters surrounded by whitespace, leading to high memory / interpreter hang if a closing tag incorrectly had a large amount of unterminated space in it. Credit to Sebastian Chnelik for locating the issue. As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is never appropriate to create templates that contain untrusted input. References: #367 [1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3 [2] sqlalchemy/mako#366 [3] sqlalchemy/mako#367 Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 49ad6f0) Signed-off-by: Steve Sakoman <steve@sakoman.com>
rickprice
pushed a commit
to ActiveState/mako
that referenced
this issue
Dec 8, 2023
Fixed issue in lexer where the regexp used to match tags would not correctly interpret quoted sections individually. While this parsing issue still produced the same expected tag structure later on, the mis-handling of quoted sections was also subject to a regexp crash if a tag had a large number of quotes within its quoted sections. Fixes: sqlalchemy#366 Change-Id: I74e0d71ff7f419970711a7cd51adcf1bb90a44c0 (cherry picked from commit 9257602)
daregit
pushed a commit
to daregit/yocto-combined
that referenced
this issue
May 22, 2024
Released: Thu Sep 22 2022 * bug - [bug] [lexer] * Fixed issue in lexer in the same category as that of #366 where the regexp used to match an end tag didn’t correctly organize for matching characters surrounded by whitespace, leading to high memory / interpreter hang if a closing tag incorrectly had a large amount of unterminated space in it. Credit to Sebastian Chnelik for locating the issue. As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is never appropriate to create templates that contain untrusted input. References: #367 [1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3 [2] sqlalchemy/mako#366 [3] sqlalchemy/mako#367 (From OE-Core rev: 49ad6f031458e1f48f24547dc88e41abc4ec41a6) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
this will crash the Lexer due to the regex:
The text was updated successfully, but these errors were encountered: