package/python-pygments: security bump to version 2.7.4 (03c2a812) · Commits · Infra Solutions / Reference Design / platsw / buildroot

Commit 03c2a812 authored Apr 04, 2021 by Peter Korsgaard Committed by Thomas Petazzoni Apr 05, 2021

package/python-pygments: security bump to version 2.7.4

Fixes the following security issues:

- CVE-2021-20270: An infinite loop in SMLLexer in Pygments versions 1.5 to
  2.7.3 may lead to denial of service when performing syntax highlighting of
  a Standard ML (SML) source file, as demonstrated by input that only
  contains the "exception" keyword

- CVE-2021-27291: In pygments 1.1+, fixed in 2.7.4, the lexers used to parse
  programming languages rely heavily on regular expressions.  Some of the
  regular expressions have exponential or cubic worst-case complexity and
  are vulnerable to ReDoS.  By crafting malicious input, an attacker can
  cause a denial of service

Python 2.x support was dropped in pygments 2.6, so adjust (reverse)
dependencies:

Version 2.6
-----------
(released March 8, 2020)

- Running Pygments on Python 2.x is no longer supported.
  (The Python 2 lexer still exists.)

Adjust the license hash for a change of copyright years:
https://github.com/pygments/pygments/commit/a590ac5ea7c00a41e253834306bfa19e38349c0b



Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

parent 94fa503d

Hide whitespace changes

Inline Side-by-side

Please register or to comment