NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a8d1e0532b
kumquat-buildroot/package/python-jinja2/python-jinja2.mk
Peter Seiderer fafa3cda2f package/python-jinja2: security bump to version 2.11.3 
Fixes the following security issue:

- CVE-2020-28493: This affects the package jinja2 from 0.0.0 and before
  2.11.3.  The ReDoS vulnerability is mainly due to the `_punctuation_re
  regex` operator and its use of multiple wildcards.  The last wildcard is
  the most exploitable as it searches for trailing punctuation.  This issue
  can be mitigated by Markdown to format user content instead of the urlize
  filter, or by implementing request timeouts and limiting process memory.

  https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ff97693953)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 15:15:15 +02:00

34 lines
1.3 KiB
Makefile
Raw Blame History

################################################################################
#
# python-jinja2
#
################################################################################
# Please keep in sync with package/python3-jinja2/python3-jinja2.mk
PYTHON_JINJA2_VERSION = 2.11.3
PYTHON_JINJA2_SOURCE = Jinja2-$(PYTHON_JINJA2_VERSION).tar.gz
PYTHON_JINJA2_SITE = https://files.pythonhosted.org/packages/4f/e7/65300e6b32e69768ded990494809106f87da1d436418d5f1367ed3966fd7
PYTHON_JINJA2_SETUP_TYPE = setuptools
PYTHON_JINJA2_LICENSE = BSD-3-Clause
PYTHON_JINJA2_LICENSE_FILES = LICENSE.rst
PYTHON_JINJA2_CPE_ID_VENDOR = pocoo
PYTHON_JINJA2_CPE_ID_PRODUCT = jinja2
# In host build, setup.py tries to download markupsafe if it is not installed
HOST_PYTHON_JINJA2_DEPENDENCIES = host-python-markupsafe
# Both asyncsupport.py and asyncfilters.py use async feature, that is
# not available in Python 2 and some features available in Python 3.6.
# So in both cases *.py compilation would produce compiler errors.
# Hence remove both files after package extraction.
ifeq ($(BR2_PACKAGE_PYTHON),y)
define PYTHON_JINJA2_REMOVE_ASYNC_SUPPORT
rm $(@D)/src/jinja2/asyncsupport.py $(@D)/src/jinja2/asyncfilters.py
endef
PYTHON_JINJA2_POST_EXTRACT_HOOKS = PYTHON_JINJA2_REMOVE_ASYNC_SUPPORT
endif
$(eval $(python-package))
$(eval $(host-python-package))
Reference in New Issue View Git Blame Copy Permalink