-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: python-XStatic-Bootstrap-SCSS security update
Advisory ID:       RHSA-2020:5571-01
Product:           Red Hat OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:5571
Issue date:        2020-12-16
CVE Names:         CVE-2016-10735 CVE-2018-14042 CVE-2018-20676 
                   CVE-2018-20677 CVE-2019-8331 
====================================================================
1. Summary:

An update for python-XStatic-Bootstrap-SCSS is now available for Red Hat
OpenStack Platform 13 (Queens).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 13.0 - noarch
Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server - noarch

3. Description:

python-XStatic-Bootstrap-SCSS is the Bootstrap-SCSS JavaScript library
packaged for setuptools / pip.

Security Fix(es):

* XSS in the data-target attribute (CVE-2016-10735)

* Cross-site Scripting (XSS) in the data-container property of tooltip
(CVE-2018-14042)

* XSS in the tooltip data-viewport attribute (CVE-2018-20676)

* XSS in the affix configuration target property (CVE-2018-20677)

* XSS in the tooltip or popover data-template attribute (CVE-2019-8331)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip
1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property
1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute
1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute

6. Package List:

Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server:

Source:
python-XStatic-Bootstrap-SCSS-3.4.1.0-1.el7ost.src.rpm

noarch:
python-XStatic-Bootstrap-SCSS-3.4.1.0-1.el7ost.noarch.rpm
xstatic-bootstrap-scss-common-3.4.1.0-1.el7ost.noarch.rpm

Red Hat OpenStack Platform 13.0:

Source:
python-XStatic-Bootstrap-SCSS-3.4.1.0-1.el7ost.src.rpm

noarch:
python-XStatic-Bootstrap-SCSS-3.4.1.0-1.el7ost.noarch.rpm
xstatic-bootstrap-scss-common-3.4.1.0-1.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-10735
https://access.redhat.com/security/cve/CVE-2018-14042
https://access.redhat.com/security/cve/CVE-2018-20676
https://access.redhat.com/security/cve/CVE-2018-20677
https://access.redhat.com/security/cve/CVE-2019-8331
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX9oTzdzjgjWX9erEAQjpHA//YvCT6Rh9lwF2upnNJNgaEfQTa4rSbh4V
k8BJrWXOufFJVx6QPUZPAyhbNgayo1K3iT/B4vUE69SaJRTN5yNd5YA80F2SktIx
EaEZm7BmbBCvuNi2XyctfShBlxiK89CnZSSzDhcnfHFlgFBA2HXib8oWAhu7DwzK
0cNQEoxxIgYaC0cLDs27QfILdGsFlvJj4HTzb1XYERhjwqa51RUTRzMrUF+DcOSi
5QFvcLOl1T5IXcD0HDJ/1l/knC191EMRh2pLSI705+lDFGoBhLOTMkjndCIXDTz1
t2goIV5EUrikboy6OuPwyJXDmbVONuF/z5UyzHjwo+XdAiFT7RtTQL4CeLYqSaap
Nl7cd7ryvbekZZu5/psH+UNiZFgQSZU0iNoOVEl2skMFXDk0SOL6XnUiRNugpuZT
XAWifOjO/rZCpcEuVPpnRllETpKSKQZd2h3tdE0seKsr2A66V4wAMf3t/sNax4UB
U56spjH81V9NDPRHtS1JRrdKp/J4E6pMEWYYAgZ9ZbweQu53VCpL6/7PvWt50ReH
pkWWgHjKj/roIT2A9Nxm4xpQuTbHgsFy1Td1v/IMqCc7Ce9LcszxJS5LjSXkKNM3
qXiNhZeX7cQqm0oakUmRtgnd/5hMjJEzvdYn0OCLbuk0ep2ARelADzLgg76wJSAu
cu3At4X7mGg=xZ7F
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-5571:01 Moderate: python-XStatic-Bootstrap-SCSS security

An update for python-XStatic-Bootstrap-SCSS is now available for Red Hat OpenStack Platform 13 (Queens)

Summary

python-XStatic-Bootstrap-SCSS is the Bootstrap-SCSS JavaScript library packaged for setuptools / pip.
Security Fix(es):
* XSS in the data-target attribute (CVE-2016-10735)
* Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* XSS in the tooltip data-viewport attribute (CVE-2018-20676)
* XSS in the affix configuration target property (CVE-2018-20677)
* XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2016-10735 https://access.redhat.com/security/cve/CVE-2018-14042 https://access.redhat.com/security/cve/CVE-2018-20676 https://access.redhat.com/security/cve/CVE-2018-20677 https://access.redhat.com/security/cve/CVE-2019-8331 https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server:
Source: python-XStatic-Bootstrap-SCSS-3.4.1.0-1.el7ost.src.rpm
noarch: python-XStatic-Bootstrap-SCSS-3.4.1.0-1.el7ost.noarch.rpm xstatic-bootstrap-scss-common-3.4.1.0-1.el7ost.noarch.rpm
Red Hat OpenStack Platform 13.0:
Source: python-XStatic-Bootstrap-SCSS-3.4.1.0-1.el7ost.src.rpm
noarch: python-XStatic-Bootstrap-SCSS-3.4.1.0-1.el7ost.noarch.rpm xstatic-bootstrap-scss-common-3.4.1.0-1.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2020:5571-01
Product: Red Hat OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5571
Issued Date: : 2020-12-16
CVE Names: CVE-2016-10735 CVE-2018-14042 CVE-2018-20676 CVE-2018-20677 CVE-2019-8331

Topic

An update for python-XStatic-Bootstrap-SCSS is now available for Red HatOpenStack Platform 13 (Queens).Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat OpenStack Platform 13.0 - noarch

Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server - noarch


Bugs Fixed

1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip

1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute

1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property

1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute

1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute


Related News

30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved