[Buildroot] [PATCH] package/python-pygments: security bump to version 2.7.4
Peter Korsgaard
peter at korsgaard.com
Tue Apr 6 09:23:42 UTC 2021
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> - CVE-2021-20270: An infinite loop in SMLLexer in Pygments versions 1.5 to
> 2.7.3 may lead to denial of service when performing syntax highlighting of
> a Standard ML (SML) source file, as demonstrated by input that only
> contains the "exception" keyword
> - CVE-2021-27291: In pygments 1.1+, fixed in 2.7.4, the lexers used to parse
> programming languages rely heavily on regular expressions. Some of the
> regular expressions have exponential or cubic worst-case complexity and
> are vulnerable to ReDoS. By crafting malicious input, an attacker can
> cause a denial of service
> Python 2.x support was dropped in pygments 2.6, so adjust (reverse)
> dependencies:
> Version 2.6
> -----------
> (released March 8, 2020)
> - Running Pygments on Python 2.x is no longer supported.
> (The Python 2 lexer still exists.)
> Adjust the license hash for a change of copyright years:
> https://github.com/pygments/pygments/commit/a590ac5ea7c00a41e253834306bfa19e38349c0b
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2021.02.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list