[Python-modules-team] Bug#879098: mistune: CVE-2017-15612: cross-site scripting vulnerablity

Salvatore Bonaccorso carnil at debian.org
Thu Oct 19 11:45:29 UTC 2017


Source: mistune
Version: 0.7.4-1
Severity: important
Tags: patch security upstream
Control: found -1 0.7.3-1

Hi,

the following vulnerability was published for mistune.

CVE-2017-15612[0]:
| mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such
| as in java\nscript:) or a crafted email address, related to the escape
| and autolink functions.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15612
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15612
[1] https://github.com/lepture/mistune/pull/140

Regards,
Salvatore



More information about the Python-modules-team mailing list