An update for python-jinja2 is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1190 Final 1.0 1.0 2021-05-15 Initial 2021-05-15 2021-05-15 openEuler SA Tool V1.0 2021-05-15 python-jinja2 security update An update for python-jinja2 is now available for openEuler-20.03-LTS-SP1. Jinja2 is one of the most used template engines for Python. It is inspired by Django's templating system but extends it with an expressive language that gives template authors a more powerful set of tools. On top of that it adds sandboxed execution and optional automatic escaping for applications where security is important. Security Fix(es): This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.(CVE-2020-28493) An update for python-jinja2 is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium python-jinja2 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1190 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-28493 https://nvd.nist.gov/vuln/detail/CVE-2020-28493 openEuler-20.03-LTS-SP1 python3-jinja2-2.11.2-2.oe1.noarch.rpm python-jinja2-help-2.11.2-2.oe1.noarch.rpm python2-jinja2-2.11.2-2.oe1.noarch.rpm python-jinja2-2.11.2-2.oe1.src.rpm This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. 2021-05-15 CVE-2020-28493 openEuler-20.03-LTS-SP1 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L python-jinja2 security update 2021-05-15 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1190