Changelog from python-markdown2-2.4.2 points to a fix for a regular expression denial of service. References: https://github.com/trentm/python-markdown2/pull/410
Created python-markdown tracking bugs for this issue: Affects: fedora-all [bug 2028455] Created python-markdown2 tracking bugs for this issue: Affects: fedora-all [bug 2028454]
This flaw is specifically within python-markdown2, which is distinct from python-markdown. python-markdown is shipped in RHEL while python-markdown2 is not. Python-markdown does not contain this flaw. The flaw stemmed from loose regex checks when auto linking a URL. This regex expression allowed values that could result in a denial of service and has since been fixed by applying stricter regex checks when auto linking.
Red Hat Satellite does not ship python-markdown2 and rather ship python-markdown which is completely different python module and not affected. Affected >> https://github.com/trentm/python-markdown2 Not Affected >> https://github.com/Python-Markdown/markdown
(In reply to Garrett Tucker from comment #2) > This flaw is specifically within python-markdown2, which is distinct from > python-markdown. python-markdown is shipped in RHEL while python-markdown2 > is not. Python-markdown does not contain this flaw. The flaw stemmed from > loose regex checks when auto linking a URL. This regex expression allowed > values that could result in a denial of service and has since been fixed by > applying stricter regex checks when auto linking.
Analysis is complete for all the Ansible components and it was found that none of the ansible components ship python-markdown2. Among Ansible components, Ansible Tower/AWX does use python-markdown[1] which is not affected by this vulnerability. Hence, marking Ansible as "Not Affected". [1] https://github.com/ansible/galaxy_ng/blob/315235807c88aa04f07517a8547fa18a8081b97c/requirements/requirements.insights.txt#L183