Ubuntu Security Notice 6599-1 - Yeting Li discovered that Jinja incorrectly handled certain regex. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. It was discovered that Jinja incorrectly handled certain HTML passed with xmlatter filter. An attacker could inject arbitrary HTML attributes keys and values potentially leading to XSS.
c4598e532c545a8d7a06e60082eca74ab86406a361138570c7495e31b23944fd
==========================================================================
Ubuntu Security Notice USN-6599-1
January 25, 2024
jinja2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in jinja2.
Software Description:
- jinja2: documentation for the Jinja2 Python library
Details:
Yeting Li discovered that Jinja incorrectly handled certain regex.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 14.04 LTS, Ubuntu 18.04 LTS, and
Ubuntu 20.04 LTS. (CVE-2020-28493)
It was discovered that Jinja incorrectly handled certain HTML passed with
xmlatter filter. An attacker could inject arbitrary HTML attributes
keys and values potentially leading to XSS. (CVE-2024-22195)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
python3-jinja2 3.1.2-1ubuntu0.23.10.1
Ubuntu 22.04 LTS:
python3-jinja2 3.0.3-1ubuntu0.1
Ubuntu 20.04 LTS:
python-jinja2 2.10.1-2ubuntu0.2
python3-jinja2 2.10.1-2ubuntu0.2
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
python-jinja2 2.10-1ubuntu0.18.04.1+esm1
python3-jinja2 2.10-1ubuntu0.18.04.1+esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
python-jinja2 2.8-1ubuntu0.1+esm2
python3-jinja2 2.8-1ubuntu0.1+esm2
Ubuntu 14.04 LTS (Available with Ubuntu Pro):
python-jinja2 2.7.2-2ubuntu0.1~esm2
python3-jinja2 2.7.2-2ubuntu0.1~esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6599-1
CVE-2020-28493, CVE-2024-22195
Package Information:
https://launchpad.net/ubuntu/+source/jinja2/3.1.2-1ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/jinja2/3.0.3-1ubuntu0.1
https://launchpad.net/ubuntu/+source/jinja2/2.10.1-2ubuntu0.2