   openSUSE Security Update: Security update for python-Jinja2
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2019:0244-1
Rating:             moderate
References:         #858239 
Cross-References:   CVE-2014-0012
Affected Products:
                    SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for python-Jinja2 fixes the following issues:

   - Update to 2.8
     - Added `target` parameter to urlize function.
     - Added support for `followsymlinks` to the file system loader.
     - The truncate filter now counts the length.
     - Added equalto filter that helps with select filters.
     - Changed cache keys to use absolute file names if available instead of
       load names.
     - Fixed loop length calculation for some iterators.
     - Changed how Jinja2 enforces strings to be native strings in Python 2
       to work when people break their default encoding.
     - Added :func:`make_logging_undefined` which returns an undefined
       object that logs failures into a logger.
     - If unmarshalling of cached data fails the template will be reloaded
       now.
     - Implemented a block ``set`` tag.
     - Default cache size was incrased to 400 from a low 50.
     - Fixed ``is number`` test to accept long integers in all Python
       versions.
     - Changed ``is number`` to accept Decimal as a number.
     - Added a check for default arguments followed by non-default arguments.
       This change makes ``{% macro m(x, y=1, z) %}...{% endmacro %}`` a
       syntax error. The previous behavior for this code was broken anyway
       (resulting in the default value being applied to `y`).
     - Add ability to use custom subclasses of
       ``jinja2.compiler.CodeGenerator`` and ``jinja2.runtime.Context`` by
       adding two new attributes to the environment (`code_generator_class`
       and `context_class`) (pull request ``#404``).
     - added support for context/environment/evalctx decorator functions on
       the finalize callback of the environment.
     - escape query strings for urlencode properly.  Previously slashes were
       not escaped in that place.
     - Add 'base' parameter to 'int' filter.
   - Tests are removed from the package (not distributed in the tar.gz)

   - Use %python_version over %py_ver: better portability to RHEL

   - run testsuite during build

   - adjust dependency to use up to date package name for python-MarkupSafe

   - Update to 2.7.3 (boo#858239, CVE-2014-0012)
     - Security issue: Corrected the security fix for the cache folder. This
       fix was provided by RedHat.

   - fix package build (file selection missing)

   - avoid rebuildcycle with vim

   - update to 2.7.2:
     - Prefix loader was not forwarding the locals properly to inner
       loaders.  This is now fixed.
     - Security issue: Changed the default folder for the filesystem cache to
       be user specific and read and write protected on UNIX systems.  See
       `Debian bug 734747`_ for more information.

   - Require python-setuptools instead of distribute (upstreams merged)

   - Avoid "Recommends:" on old rpm distros

   - update to 2.7.1:
    - Fixed a bug with ``call_filter`` not working properly on environment
      and context filters.
    - Fixed lack of Python 3 support for bytecode caches.
    - Reverted support for defining blocks in included templates as this
      broke existing templates for users.
    - Fixed some warnings with hashing of undefineds and nodes if Python is
      run with warnings for Python 3.
    - Added support for properly hashing undefined objects.
    - Fixed a bug with the title filter not working on already uppercase
      strings.

   - update to 2.7:
     - Choice and prefix loaders now dispatch source and template lookup
       separately in order to work in combination with module loaders as
       advertised.
     - Fixed filesizeformat.
     - Added a non-silent option for babel extraction.
     - Added `urlencode` filter that automatically quotes values for URL safe
       usage with utf-8 as only supported encoding.  If applications want to
       change this encoding they can override the filter.
     - Added `keep-trailing-newline` configuration to environments and
       templates to optionally preserve the final trailing newline.
     - Accessing `last` on the loop context no longer causes the iterator to
       be consumed into a list.
     - Python requirement changed: 2.6, 2.7 or >= 3.3 are required now,
       supported by same source code, using the "six" compatibility library.
     - Allow `contextfunction` and other decorators to be applied to
       `__call__`.
     - Added support for changing from newline to different signs in the
       `wordwrap` filter.
     - Added support for ignoring memcache errors silently.
     - Added support for keeping the trailing newline in templates.
     - Added finer grained support for stripping whitespace on the left side
       of blocks.
     - Added `map`, `select`, `reject`, `selectattr` and `rejectattr` filters.
     - Added support for `loop.depth` to figure out how deep inside a
       recursive loop the code is.
     - Disabled py_compile for pypy and python 3.

   - Fix building python 3 package on openSUSE 11.4 x86_64

   - Add 2to3 buildrequires to allow for proper conversion of python 3 version

   - Add python 3 package
   - Simplify vim plugin packaging
   - Add suggests for vim and emacs in their respective packages
   - Removed test for obsolete openSUSE version

   - Simplified macro usage

   - Split of 'vim' and 'emacs' sub-packages that contain syntax highlighting
     support for both editors
   - Set license to BSD-3-Clause (SPDX style)
   - Require python-distribute instead of python-setuptools

   - Update to version 2.6:
     * internal attributes now raise an internal attribute error now instead
       of returning an undefined.  This fixes problems when passing undefined
       objects to Python semantics expecting APIs.
     * traceback support now works properly for PyPy.  (Tested with 1.4)
     * implemented operator intercepting for sandboxed environments.  This
       allows application developers to disable builtin operators for better
       security.  (For instance limit the mathematical operators to actual
       integers instead of longs)
     * groupby filter now supports dotted notation for grouping by attributes
       of attributes.
     * scoped blocks not properly treat toplevel assignments and imports.
       Previously an import suddenly "disappeared" in a scoped block.
     * automatically detect newer Python interpreter versions before loading
       code from bytecode caches to prevent segfaults on invalid opcodes.
       The segfault in earlier Jinja2 versions here was not a Jinja2 bug but
       a limitation in the underlying Python interpreter.  If you notice
       Jinja2 segfaulting in earlier versions after an upgrade of the Python
       interpreter you don't have to upgrade, it's enough to flush the
       bytecode cache.  This just no longer makes this necessary, Jinja2 will
       automatically detect these cases now.
     * the sum filter can now sum up values by attribute.  This is a
       backwards incompatible change.  The argument to the filter previously
       was the
       optional starting index which defaultes to zero.  This now became the
        second argument to the function because it's rarely used.
     * like sum, sort now also makes it possible to order items by attribute.
     * like sum and sort, join now also is able to join attributes of objects
       as string.
     * the internal eval context now has a reference to the environment.
     * added a mapping test to see if an object is a dict or an object with a
       similar interface.

   - Renamed to python-Jinja2
   - Fix wrong EOL encodings

   - Do not require python-setuptools, buildrequires is sufficient
   - Removed authors from description
   - Changed license to BSD3c

   - rpmlint issues cleanup
     * fdupes, tar.bz2 tarball, ...
   - package docs again (lost with last revision)

   - re-generated spec file with py2pack
     * now builds for Fedora and Mandriva

   - Update to 2.2.1;
   - Fixed changes file name.

   - initial package (2.1.1)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Package Hub for SUSE Linux Enterprise 12:

      zypper in -t patch openSUSE-2019-244=1



Package List:

   - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):

      python-Jinja2-2.8-2.1
      python-Jinja2-emacs-2.8-2.1
      python-Jinja2-vim-2.8-2.1


References:

   https://www.suse.com/security/cve/CVE-2014-0012.html
   https://bugzilla.suse.com/858239

--

openSUSE: 2019:0244-1: moderate: python-Jinja2

February 26, 2019

An update that fixes one vulnerability is now available.

Description

This update for python-Jinja2 fixes the following issues: - Update to 2.8 - Added `target` parameter to urlize function. - Added support for `followsymlinks` to the file system loader. - The truncate filter now counts the length. - Added equalto filter that helps with select filters. - Changed cache keys to use absolute file names if available instead of load names. - Fixed loop length calculation for some iterators. - Changed how Jinja2 enforces strings to be native strings in Python 2 to work when people break their default encoding. - Added :func:`make_logging_undefined` which returns an undefined object that logs failures into a logger. - If unmarshalling of cached data fails the template will be reloaded now. - Implemented a block ``set`` tag. - Default cache size was incrased to 400 from a low 50. - Fixed ``is number`` test to accept long integers in all Python versions. - Changed ``is number`` to accept Decimal as a number. - Added a check for default arguments followed by non-default arguments. This change makes ``{% macro m(x, y=1, z) %}...{% endmacro %}`` a syntax error. The previous behavior for this code was broken anyway (resulting in the default value being applied to `y`). - Add ability to use custom subclasses of ``jinja2.compiler.CodeGenerator`` and ``jinja2.runtime.Context`` by adding two new attributes to the environment (`code_generator_class` and `context_class`) (pull request ``#404``). - added support for context/environment/evalctx decorator functions on the finalize callback of the environment. - escape query strings for urlencode properly. Previously slashes were not escaped in that place. - Add 'base' parameter to 'int' filter. - Tests are removed from the package (not distributed in the tar.gz) - Use %python_version over %py_ver: better portability to RHEL - run testsuite during build - adjust dependency to use up to date package name for python-MarkupSafe - Update to 2.7.3 (boo#858239, CVE-2014-0012) - Security issue: Corrected the security fix for the cache folder. This fix was provided by RedHat. - fix package build (file selection missing) - avoid rebuildcycle with vim - update to 2.7.2: - Prefix loader was not forwarding the locals properly to inner loaders. This is now fixed. - Security issue: Changed the default folder for the filesystem cache to be user specific and read and write protected on UNIX systems. See `Debian bug 734747`_ for more information. - Require python-setuptools instead of distribute (upstreams merged) - Avoid "Recommends:" on old rpm distros - update to 2.7.1: - Fixed a bug with ``call_filter`` not working properly on environment and context filters. - Fixed lack of Python 3 support for bytecode caches. - Reverted support for defining blocks in included templates as this broke existing templates for users. - Fixed some warnings with hashing of undefineds and nodes if Python is run with warnings for Python 3. - Added support for properly hashing undefined objects. - Fixed a bug with the title filter not working on already uppercase strings. - update to 2.7: - Choice and prefix loaders now dispatch source and template lookup separately in order to work in combination with module loaders as advertised. - Fixed filesizeformat. - Added a non-silent option for babel extraction. - Added `urlencode` filter that automatically quotes values for URL safe usage with utf-8 as only supported encoding. If applications want to change this encoding they can override the filter. - Added `keep-trailing-newline` configuration to environments and templates to optionally preserve the final trailing newline. - Accessing `last` on the loop context no longer causes the iterator to be consumed into a list. - Python requirement changed: 2.6, 2.7 or >= 3.3 are required now, supported by same source code, using the "six" compatibility library. - Allow `contextfunction` and other decorators to be applied to `__call__`. - Added support for changing from newline to different signs in the `wordwrap` filter. - Added support for ignoring memcache errors silently. - Added support for keeping the trailing newline in templates. - Added finer grained support for stripping whitespace on the left side of blocks. - Added `map`, `select`, `reject`, `selectattr` and `rejectattr` filters. - Added support for `loop.depth` to figure out how deep inside a recursive loop the code is. - Disabled py_compile for pypy and python 3. - Fix building python 3 package on openSUSE 11.4 x86_64 - Add 2to3 buildrequires to allow for proper conversion of python 3 version - Add python 3 package - Simplify vim plugin packaging - Add suggests for vim and emacs in their respective packages - Removed test for obsolete openSUSE version - Simplified macro usage - Split of 'vim' and 'emacs' sub-packages that contain syntax highlighting support for both editors - Set license to BSD-3-Clause (SPDX style) - Require python-distribute instead of python-setuptools - Update to version 2.6: * internal attributes now raise an internal attribute error now instead of returning an undefined. This fixes problems when passing undefined objects to Python semantics expecting APIs. * traceback support now works properly for PyPy. (Tested with 1.4) * implemented operator intercepting for sandboxed environments. This allows application developers to disable builtin operators for better security. (For instance limit the mathematical operators to actual integers instead of longs) * groupby filter now supports dotted notation for grouping by attributes of attributes. * scoped blocks not properly treat toplevel assignments and imports. Previously an import suddenly "disappeared" in a scoped block. * automatically detect newer Python interpreter versions before loading code from bytecode caches to prevent segfaults on invalid opcodes. The segfault in earlier Jinja2 versions here was not a Jinja2 bug but a limitation in the underlying Python interpreter. If you notice Jinja2 segfaulting in earlier versions after an upgrade of the Python interpreter you don't have to upgrade, it's enough to flush the bytecode cache. This just no longer makes this necessary, Jinja2 will automatically detect these cases now. * the sum filter can now sum up values by attribute. This is a backwards incompatible change. The argument to the filter previously was the optional starting index which defaultes to zero. This now became the second argument to the function because it's rarely used. * like sum, sort now also makes it possible to order items by attribute. * like sum and sort, join now also is able to join attributes of objects as string. * the internal eval context now has a reference to the environment. * added a mapping test to see if an object is a dict or an object with a similar interface. - Renamed to python-Jinja2 - Fix wrong EOL encodings - Do not require python-setuptools, buildrequires is sufficient - Removed authors from description - Changed license to BSD3c - rpmlint issues cleanup * fdupes, tar.bz2 tarball, ... - package docs again (lost with last revision) - re-generated spec file with py2pack * now builds for Fedora and Mandriva - Update to 2.2.1; - Fixed changes file name. - initial package (2.1.1)

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2019-244=1