Security update for python-Jinja2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:14644-1 Final 1 1 2021-02-25T17:43:18Z current 2021-02-25T17:43:18Z 2021-02-25T17:43:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-Jinja2 This update for python-Jinja2 fixes the following issues: - CVE-2020-28493: Improve the speed of the 'urlize' filter by reducing regex backtracking. Email matching requires a word character at the start of the domain part, and only word characters in the TLD. (bsc#1181944) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). pubclsp3-python-Jinja2-14644,slesctsp3-python-Jinja2-14644,slesctsp4-python-Jinja2-14644 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-202114644-1/ Link for SUSE-SU-2021:14644-1 https://lists.suse.com/pipermail/sle-security-updates/2021-February/008377.html E-Mail link for SUSE-SU-2021:14644-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1181944 SUSE Bug 1181944 https://www.suse.com/security/cve/CVE-2020-28493/ SUSE CVE CVE-2020-28493 page SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS SUSE Linux Enterprise Server 11-PUBCLOUD python-Jinja2-2.6-2.19.5.1 python-Jinja2-2.6-2.19.5.1 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS python-Jinja2-2.6-2.19.5.1 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS python-Jinja2-2.6-2.19.5.1 as a component of SUSE Linux Enterprise Server 11-PUBCLOUD This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. CVE-2020-28493 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:python-Jinja2-2.6-2.19.5.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:python-Jinja2-2.6-2.19.5.1 SUSE Linux Enterprise Server 11-PUBCLOUD:python-Jinja2-2.6-2.19.5.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114644-1/ https://www.suse.com/security/cve/CVE-2020-28493.html CVE-2020-28493 https://bugzilla.suse.com/1181944 SUSE Bug 1181944