python-jinja2-2.10.1-3.el8

エラータID: AXSA:2021-2728:01

Release date: 
Tuesday, December 14, 2021 - 00:27
Subject: 
python-jinja2-2.10.1-3.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The python-jinja2 package contains Jinja2, a template engine written in pure
Python. Jinja2 provides a Django inspired non-XML syntax but supports inline
expressions and an optional sandboxed environment.

Security Fix(es):

* python-jinja2: ReDoS vulnerability due to the sub-pattern (CVE-2020-28493)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2020-28493
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS
vulnerability is mainly due to the `_punctuation_re regex` operator and its use
of multiple wildcards. The last wildcard is the most exploitable as it searches
for trailing punctuation. This issue can be mitigated by Markdown to format user
content instead of the urlize filter, or by implementing request timeouts and
limiting process memory.

Solution: 

Update packages.

CVEs: 
CVE-2020-28493
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Additional Info: 

N/A

Download: 

SRPMS
  1. python-jinja2-2.10.1-3.el8.src.rpm
    MD5: 21624c9765bde5d470a4e7018260d111
    SHA-256: 3e8f8f82b2329a3f5c4d5acebf493b1c5d33789dc3de49839450429ee4e45dce
    Size: 274.83 kB

Asianux Server 8 for x86_64
  1. python3-jinja2-2.10.1-3.el8.noarch.rpm
    MD5: a5560de8b61a76f231f10b84c55f230a
    SHA-256: 273511fbb54db029750579bf63556e12a4f1a986f3e4e4792bb1de28816846fb
    Size: 536.50 kB