Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

quoted sections in tag not grouped correctly #366

Closed
zzzeek opened this issue Aug 29, 2022 · 1 comment
Closed

quoted sections in tag not grouped correctly #366

zzzeek opened this issue Aug 29, 2022 · 1 comment
Labels
bug Something isn't working lexer

Comments

@zzzeek
Copy link
Member

zzzeek commented Aug 29, 2022
edited

this will crash the Lexer due to the regex:

from mako.lexer import Lexer
template = "<%0" + '"' * 3000
Lexer(template).parse
@sqla-tester
Copy link
Collaborator

Mike Bayer has proposed a fix for this issue in the main branch:

fix tag regexp to match quoted groups correctly https://gerrit.sqlalchemy.org/c/sqlalchemy/mako/+/4053

@zzzeek zzzeek changed the title issue placeholder quoted sections in tag not grouped correctly Aug 29, 2022
@zzzeek zzzeek added bug Something isn't working lexer labels Aug 29, 2022
jbmchuck added a commit to tableau/altimeter that referenced this issue Sep 16, 2022
@jbmchuck
bump mako version due to sqlalchemy/mako#366
092e17b
jbmchuck added a commit to tableau/altimeter that referenced this issue Sep 16, 2022
@jbmchuck
bump mako version due to sqlalchemy/mako#366 (#176)
1adb9eb
sbrunner added a commit to camptocamp/shared_config_manager that referenced this issue Sep 28, 2022
@sbrunner
Fix CVE
a48b64e 
  +==============================================================================+
   VULNERABILITIES FOUND
  +==============================================================================+

  -> Vulnerability found in lxml version 4.8.0
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.1.6
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
@sbrunner sbrunner mentioned this issue Sep 28, 2022
Merged
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
@sbrunner
Fix CVE
909bfd9 
  -> Vulnerability found in mako version 1.0.9
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

Ignore CVE

  Title: [1084602] Arbitrary Code Execution in underscore
  Severity: critical
  CWE: CWE-94
  Vulnerable versions: >=1.3.2 <1.12.1
  Patched versions: >=1.12.1
  Recommendation: Upgrade to version 1.12.1 or later
  Version: 1.6.0
  Path: openlayers > nomnom > underscore
  More info: GHSA-cf4h-3jhx-xvhq
@sbrunner sbrunner mentioned this issue Sep 30, 2022
Merged
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
@sbrunner
Fix CVE
b17224b 
  -> Vulnerability found in mako version 1.1.2
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
@sbrunner sbrunner mentioned this issue Sep 30, 2022
Merged
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
@sbrunner
Fix CVE
addc7ff 
  -> Vulnerability found in mako version 1.0.9
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

Ignore CVE

  Title: [1084602] Arbitrary Code Execution in underscore
  Severity: critical
  CWE: CWE-94
  Vulnerable versions: >=1.3.2 <1.12.1
  Patched versions: >=1.12.1
  Recommendation: Upgrade to version 1.12.1 or later
  Version: 1.6.0
  Path: openlayers > nomnom > underscore
  More info: GHSA-cf4h-3jhx-xvhq
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
@sbrunner
Fix CVE
9362cff 
  -> Vulnerability found in lxml version 4.6.5
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.1.4
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
@sbrunner sbrunner mentioned this issue Sep 30, 2022
Merged
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
@sbrunner
Fix CVE
c3130a2 
  -> Vulnerability found in lxml version 4.8.0
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.2.0
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
@sbrunner
Ignore CVE
a2301cf 
  -> Vulnerability found in mako version 1.0.9
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  Title: [1084602] Arbitrary Code Execution in underscore
  Severity: critical
  CWE: CWE-94
  Vulnerable versions: >=1.3.2 <1.12.1
  Patched versions: >=1.12.1
  Recommendation: Upgrade to version 1.12.1 or later
  Version: 1.6.0
  Path: openlayers > nomnom > underscore
  More info: GHSA-cf4h-3jhx-xvhq
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
@sbrunner
Ignore CVE
44039fc 
  -> Vulnerability found in mako version 1.1.2
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/tilecloud-chain that referenced this issue Sep 30, 2022
@sbrunner
Fix CVE
8109620 
  -> Vulnerability found in mako version 1.1.3
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
@sbrunner sbrunner mentioned this issue Sep 30, 2022
Merged
sbrunner added a commit to camptocamp/mapfish-print-logs that referenced this issue Sep 30, 2022
@sbrunner
Fix CVE
008725e 
  -> Vulnerability found in lxml version 4.6.5
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.1.3
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
@sbrunner sbrunner mentioned this issue Sep 30, 2022
Merged
sbrunner added a commit to camptocamp/mapfish-print-logs that referenced this issue Sep 30, 2022
@sbrunner
Fix CVE
3752073 
-> Vulnerability found in lxml version 4.6.5
Vulnerability ID: 50748
Affected spec: <4.9.1
ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
Dereference allows attackers to cause a denial of service (or application...
CVE-2022-2309
For more information, please visit
https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

-> Vulnerability found in mako version 1.1.3
Vulnerability ID: 50870
Affected spec: <1.2.2
ADVISORY: Mako 1.2.2 includes a fix for a REDoS
vulnerability.sqlalchemy/mako#366
PVE-2022-50870
For more information, please visit
https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
@sbrunner sbrunner mentioned this issue Sep 30, 2022
Merged
sbrunner added a commit to camptocamp/mapfish-print-logs that referenced this issue Sep 30, 2022
@sbrunner
Fix CVE
466c306 
-> Vulnerability found in lxml version 4.6.5
Vulnerability ID: 50748
Affected spec: <4.9.1
ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
Dereference allows attackers to cause a denial of service (or application...
CVE-2022-2309
For more information, please visit
https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

-> Vulnerability found in mako version 1.1.3
Vulnerability ID: 50870
Affected spec: <1.2.2
ADVISORY: Mako 1.2.2 includes a fix for a REDoS
vulnerability.sqlalchemy/mako#366
PVE-2022-50870
For more information, please visit
https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
@sbrunner
Fix CVE
74b2c02 
  -> Vulnerability found in lxml version 4.6.5
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.1.4
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner added a commit to camptocamp/ngeo that referenced this issue Oct 3, 2022
@sbrunner
Fix CVE
609e880 
   -> Vulnerability found in mako version 1.0.9
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
@sbrunner sbrunner mentioned this issue Oct 3, 2022
Merged
sbrunner added a commit to camptocamp/ngeo that referenced this issue Oct 3, 2022
@sbrunner
Fix CVE
65c9143 
  Title: [1084344] jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label
  Severity: moderate
  CWE: CWE-79
  Vulnerable versions: <1.13.2
  Patched versions: >=1.13.2
  Recommendation: Upgrade to version 1.13.2 or later
  Version: 1.13.0
  Path: jquery-ui
  More info: GHSA-h6gj-6jjq-h8g9

  -> Vulnerability found in mako version 1.1.2
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
@sbrunner sbrunner mentioned this issue Oct 3, 2022
Closed
sbrunner added a commit to camptocamp/ngeo that referenced this issue Oct 3, 2022
@sbrunner
Fix CVE
0cc632c 
  -> Vulnerability found in mako version 1.1.4
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
@sbrunner sbrunner mentioned this issue Oct 3, 2022
Merged
sbrunner added a commit to camptocamp/ngeo that referenced this issue Oct 3, 2022
@sbrunner
Fix CVE
44be93c 
   -> Vulnerability found in mako version 1.0.9
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/c2cwsgiutils that referenced this issue Oct 3, 2022
@sbrunner
Fix CVE
6835e50 
  -> Vulnerability found in lxml version 4.6.5
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/

  -> Vulnerability found in mako version 1.1.2
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
@sbrunner sbrunner mentioned this issue Oct 3, 2022
Merged
sbrunner added a commit to camptocamp/c2cwsgiutils that referenced this issue Oct 3, 2022
@sbrunner
Fix CVE
663c001 
  -> Vulnerability found in lxml version 4.7.1
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/

  -> Vulnerability found in mako version 1.1.6
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
@sbrunner sbrunner mentioned this issue Oct 3, 2022
Merged
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Oct 4, 2022
@sbrunner
Fix CVE
4fca438 
  -> Vulnerability found in lxml version 4.6.5
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.1.4
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
@sbrunner sbrunner mentioned this issue Oct 6, 2022
Merged
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Oct 6, 2022
@sbrunner
Fix CVE
1a371ba 
  -> Vulnerability found in lxml version 4.8.0
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.2.0
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Oct 6, 2022
@sbrunner
Ignore CVE
41f33dc 
  Title: [1084602] Arbitrary Code Execution in underscore
  Severity: critical
  CWE: CWE-94
  Vulnerable versions: >=1.3.2 <1.12.1
  Patched versions: >=1.12.1
  Recommendation: Upgrade to version 1.12.1 or later
  Version: 1.6.0
  Path: openlayers > nomnom > underscore
  More info: GHSA-cf4h-3jhx-xvhq

  -> Vulnerability found in mako version 1.0.9
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
@sbrunner sbrunner mentioned this issue Oct 6, 2022
Merged
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Oct 7, 2022
@sbrunner
Fix CVE
0d271b6 
  -> Vulnerability found in mako version 1.1.2
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
@sbrunner sbrunner mentioned this issue Oct 7, 2022
Merged
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Oct 7, 2022
@sbrunner
Ignore CVE
ae0ff26 
  -> Vulnerability found in mako version 1.1.2
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/c2cwsgiutils that referenced this issue Oct 19, 2022
@sbrunner
Ignore CVE
a10a91e 
  -> Vulnerability found in mako version 1.1.6
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in urllib3 version 1.24.3
     Vulnerability ID: 38834
     Affected spec: <1.25.9
     ADVISORY: Urllib3 before 1.25.9 allows CRLF injection if the attacker
     controls the HTTP request method, as demonstrated by inserting CR and LF...
     CVE-2020-26137
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2020-26137/38834/

  -> Vulnerability found in urllib3 version 1.24.3
     Vulnerability ID: 43975
     Affected spec: <1.26.5
     ADVISORY: Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue
     was discovered in urllib3 before 1.26.5. When provided with a URL...
     CVE-2021-33503
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2021-33503/43975/
sbrunner added a commit to camptocamp/c2cwsgiutils that referenced this issue Oct 19, 2022
@sbrunner
Ignore CVE
10ac5ab 
  -> Vulnerability found in mako version 1.1.6
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in urllib3 version 1.24.3
     Vulnerability ID: 38834
     Affected spec: <1.25.9
     ADVISORY: Urllib3 before 1.25.9 allows CRLF injection if the attacker
     controls the HTTP request method, as demonstrated by inserting CR and LF...
     CVE-2020-26137
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2020-26137/38834/

  -> Vulnerability found in urllib3 version 1.24.3
     Vulnerability ID: 43975
     Affected spec: <1.26.5
     ADVISORY: Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue
     was discovered in urllib3 before 1.26.5. When provided with a URL...
     CVE-2021-33503
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2021-33503/43975/
rpurdie pushed a commit to yoctoproject/poky that referenced this issue Nov 1, 2022
@moto-timo @rpurdie
python3-mako: upgrade 1.2.2 -> 1.2.3
280a1f5 
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

(From OE-Core rev: c927983ba7af9895e550018476759dd12fa90452)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead pushed a commit to openembedded/openembedded-core that referenced this issue Nov 1, 2022
@moto-timo @rpurdie
python3-mako: upgrade 1.2.2 -> 1.2.3
c927983 
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rpurdie pushed a commit to yoctoproject/poky that referenced this issue Nov 1, 2022
@moto-timo @rpurdie
python3-mako: upgrade 1.2.2 -> 1.2.3
025baf7 
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

(From OE-Core rev: 6e1c50a131429cb5cc7b86ea5765c85850f97446)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead pushed a commit to openembedded/openembedded-core that referenced this issue Nov 1, 2022
@moto-timo @rpurdie
python3-mako: upgrade 1.2.2 -> 1.2.3
6e1c50a 
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rpurdie pushed a commit to yoctoproject/poky that referenced this issue Nov 2, 2022
@moto-timo @rpurdie
python3-mako: upgrade 1.2.2 -> 1.2.3
0a97cbb 
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

(From OE-Core rev: 49ad6f031458e1f48f24547dc88e41abc4ec41a6)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead pushed a commit to openembedded/openembedded-core that referenced this issue Nov 2, 2022
@moto-timo @rpurdie
python3-mako: upgrade 1.2.2 -> 1.2.3
49ad6f0 
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
kraj pushed a commit to YoeDistro/poky that referenced this issue Nov 2, 2022
@moto-timo @alexandrebelloni
python3-mako: upgrade 1.2.2 -> 1.2.3
4b1567c 
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

(From OE-Core rev: a32dae12a9beeb5e9d74cd07f8595d0a4bda1850)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
halstead pushed a commit to openembedded/openembedded-core that referenced this issue Nov 24, 2022
@moto-timo @sakoman
python3-mako: upgrade 1.2.2 -> 1.2.3
ce8d8fb 
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 49ad6f0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
@github-actions github-actions bot mentioned this issue Jun 2, 2023
Merged
rickprice pushed a commit to ActiveState/mako that referenced this issue Dec 8, 2023
@zzzeek @rickprice
CVE-2022-40023 fix tag regexp to match quoted groups correctly
6ec3649 
Fixed issue in lexer where the regexp used to match tags would not
correctly interpret quoted sections individually. While this parsing issue
still produced the same expected tag structure later on, the mis-handling
of quoted sections was also subject to a regexp crash if a tag had a large
number of quotes within its quoted sections.

Fixes: sqlalchemy#366
Change-Id: I74e0d71ff7f419970711a7cd51adcf1bb90a44c0
(cherry picked from commit 9257602)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working lexer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zzzeek @sqla-tester