PyPi: Hugo

CVE-2023-1999

Transitive

Safety vulnerability ID: 63313

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jun 20, 2023 Updated at Nov 19, 2024
Scan your Python projects for vulnerabilities →

Advisory

Hugo 0.121.0 updates its dependency libwebp from version v1.2.4 to v1.3.2, in response to the identified CVE-2023-1999 vulnerability.
https://github.com/gohugoio/hugo/commit/4fb40ee873415e3147cccb9f2ae43267198a41fe

Affected package

hugo

Latest version: 0.139.0

Binaries for the 'extended + withdeploy' edition of the Hugo static site generator, installable with pip

Affected versions

Fixed versions

Vulnerability changelog

There are some minor new features in this release, but it's mostly a release with bug fixes and dependency updates. One notable dependency update is [libweb v1.3.2](https://github.com/webmproject/libwebp/releases/tag/v1.3.2) which comes with a security fix for the Webp _decoder_ (chromium: #1479274, CVE-2023-4863). Hugo only uses the encoder (we use Go's native Webp decoder) so we're not affected by this, but we have been contacted by some corporate Hugo users who's eager to have a clean security report.

Notes

* [kin-openapi v0.122.0](https://github.com/getkin/kin-openapi#v01220) has some minor breaking API changes which, from Hugo's side of it, can be adapted by using the new `.Map` accessors if you get an error.

Bug fixes and enhancements

* github: Fix CI build on Windows 6d4b01241 bep
* Fix handling of dropped error in test 26a8ec207 alrs
* resources/resource: Fix GroupByParamDate with raw TOML dates dd6cd6268 jmooring 11563
* helpers: Fix TrimShortHTML used by markdownify and RenderString 0bde6931a jmooring 11698
* Pull in the latest code from Go's template packages (11771) 9f978d387 bep 10707 11507
* tpl: Allow using page resources on the images page parameter for `opengraph`, `schema` and `twitter_cards` templates 14d85ec13 razonyang
* hugolib: Apply titleCaseStyle to automatic section pages 171836cdf jmooring 11547
* tpl/urls: Retain query and fragment with absURL and absLangURL 9ea7103db jmooring 11772
* markup: Add Level to Heading struct 3fc42da3d jmooring 10776
* tpl/fmt: Print suppression help with erroridf d24da1712 jmooring 11506
* tpl/transform: Display Chroma highlighting errors 4583b4130 jmooring 9642
* common/para: Skip flaky test on CI e2a624dd6 bep
* watcher: Skip flaky test for now 30a18e882 bep
* tpl/transform: Add transform.XMLEscape template function b4c5df42f jmooring 3268
* tpl/tplimpl: Remove superfluous type attr on script elements 8d32ca223 jmooring 6379
* common/para: Skip flaky tests on Windows 27620daa2 bep
* navigation: Unexport menu entry methods 80d2fdbaa jmooring 11670
* markup/goldmark: Sync image render hook code with Goldmark 805cc1773 jmooring 11681

Dependency Updates

* build(deps): bump github.com/alecthomas/chroma/v2 from 2.11.1 to 2.12.0 558f3258a dependabot[bot]
* build(deps): bump github.com/tdewolff/minify/v2 from 2.20.8 to 2.20.9 507f4e356 dependabot[bot]
* build(deps): bump github.com/spf13/cast from 1.5.1 to 1.6.0 a7e721e02 dependabot[bot]
* build(deps): bump github.com/getkin/kin-openapi from 0.121.0 to 0.122.0 2627b91d3 dependabot[bot]
* build(deps): bump golang.org/x/image from 0.13.0 to 0.14.0 e536d461a dependabot[bot]
* deps: Update github.com/tdewolff/minify/v2 v2.20.7 => v2.20.8 bfc325f56 jmooring 5748
* build(deps): bump github.com/spf13/afero from 1.10.0 to 1.11.0 36a60f65d dependabot[bot]
* build(deps): bump github.com/evanw/esbuild from 0.19.7 to 0.19.8 de2fcc5e1 dependabot[bot]
* build(deps): bump google.golang.org/api from 0.151.0 to 0.152.0 9ca889ba4 dependabot[bot]
* deps: Upgrade to libwebp 1.3.2 4fb40ee87 bep 11746
* build(deps): bump github.com/aws/aws-sdk-go from 1.48.4 to 1.48.6 bc93a3613 dependabot[bot]
* build(deps): bump golang.org/x/tools from 0.15.0 to 0.16.0 3e5bc6f3b dependabot[bot]
* build(deps): bump github.com/getkin/kin-openapi from 0.120.0 to 0.121.0 7c47036f1 dependabot[bot]
* build(deps): bump github.com/bep/logg from 0.3.0 to 0.4.0 4d07e1fe8 dependabot[bot]
* deps: Upgrade to github.com/bep/simplecobra v0.4.0 1c41232e6 bep
* build(deps): bump github.com/aws/aws-sdk-go from 1.48.2 to 1.48.4 f11ca0fad dependabot[bot]
* build(deps): bump golang.org/x/tools from 0.14.0 to 0.15.0 d7a2f3f98 dependabot[bot]
* build(deps): bump github.com/gorilla/websocket from 1.5.0 to 1.5.1 ef12d169c dependabot[bot]
* build(deps): bump github.com/fatih/color from 1.15.0 to 1.16.0 a62bbfa9e dependabot[bot]
* build(deps): bump golang.org/x/net from 0.17.0 to 0.18.0 5887230b7 dependabot[bot]
* build(deps): bump github.com/evanw/esbuild from 0.19.5 to 0.19.7 a4a66b821 dependabot[bot]
* build(deps): bump github.com/alecthomas/chroma/v2 from 2.10.0 to 2.11.1 813390b5a dependabot[bot]
* build(deps): bump github.com/tdewolff/minify/v2 from 2.20.5 to 2.20.7 d528bbd6d dependabot[bot]
* build(deps): bump google.golang.org/api from 0.138.0 to 0.151.0 af7f6c8b3 dependabot[bot]
* build(deps): bump github.com/aws/aws-sdk-go from 1.45.14 to 1.48.2 (11724) e70849ea7 dependabot[bot] 11723

Documentation

* docs: Regen docshelper 255e0a971 bep
* docs: Adjust last merge from docs repository 6580cd30a jmooring
* docs: Regen docs helper 7617de86c bep

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Availability (A)
HIGH