Univention Bugzilla – Bug 57007
jinja2: Multiple issues (5.0)
Last modified: 2024-01-31 15:39:45 CET
New Debian jinja2 2.10-2+deb10u1 fixes: This update addresses the following issue: 2.10-2+deb10u1 (Mon, 22 Jan 2024 12:57:18 -0800) * Non-maintainer upload by the Debian LTS team. * CVE-2024-22195: Fix an issue where it was possible to inject arbitrary HTML attributes into the rendered HTML via the "xmlattr" filter, potentially leading to a Cross-Site Scripting (XSS) attack. It may also have been possible to bypass attribute validation checks if they were blacklist-based. * Actually run the testsuite, on both Python 2.x and Python 3.x.
--- mirror/ftp/pool/main/j/jinja2/jinja2_2.10-2.dsc +++ apt/ucs_5.0-0-errata5.0-6/source/jinja2_2.10-2+deb10u1.dsc @@ -1,3 +1,13 @@ +2.10-2+deb10u1 [Mon, 22 Jan 2024 12:57:18 -0800] Chris Lamb <lamby@debian.org>: + + * Non-maintainer upload by the Debian LTS team. + * CVE-2024-22195: Fix an issue where it was possible to inject arbitrary HTML + attributes into the rendered HTML via the "xmlattr" filter, potentially + leading to a Cross-Site Scripting (XSS) attack. It may also have been + possible to bypass attribute validation checks if they were + blacklist-based. (Closes: #1060748) + * Actually run the testsuite, on both Python 2.x and Python 3.x. + 2.10-2 [Tue, 09 Apr 2019 21:58:20 +0200] Piotr Ożarowski <piotr@debian.org>: [ Thomas Goirand ] <http://piuparts.knut.univention.de/5.0-6/#8367908690102894171>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-6] 245fdd6ac0 Bug #57007: jinja2 2.10-2+deb10u1 doc/errata/staging/jinja2.yaml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) [5.0-6] 0687f6227b Bug #57007: jinja2 2.10-2+deb10u1 doc/errata/staging/jinja2.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x930>