PyPi: Python-Hugo

CVE-2023-39318

Transitive

Safety vulnerability ID: 63262

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Sep 08, 2023 Updated at Jan 08, 2024
Scan your Python projects for vulnerabilities →

Advisory

Python-hugo 0.119.0 upgrades its dependency Go to version 1.21.1, in response to the identified CVE-2023-39318 vulnerability.
https://github.com/gohugoio/hugo/commit/1e9b87f7602711fcf84069e03bbae6e0c08f73d1

Affected package

python-hugo

Latest version: 24.1.1

Binaries for the Hugo static site generator, installable with pip

Affected versions

Fixed versions

Vulnerability changelog

This version is built with Go 1.21.1 which contains some relevant security fixes for the `html/template` package, see [Issue 62196](https://github.com/golang/go/issues/62196) and [Issue 62197](https://github.com/golang/go/issues/62197). This is the main reason Hugo 0.119.0 is released sooner rather than later. But this release also comes with a dependency refresh and some useful image processing improvements:

* A new general-purpose [Process](https://gohugo.io/content-management/image-processing/#process) method and filter.
* A new [Opacity](https://gohugo.io/functions/images/#opacity) filter.

`Process` support all of the existing scaling operations, but it can also be used do simple format conversions (e.g. from JPG to PNG). A before/after example:

handlebars
{{ $watermark := resources.Get "logo.jpg" | images.Filter
(images.GaussianBlur 6)
(images.Opacity 0.5)
}}
{{ $watermark = $watermark.Resize (printf "%dx%d png" $watermark.Width $watermark.Height )


There are some issues with the above:

1. The source image does not support transparency, so the transparency pixels will be filled with the configured background colour.
2. The image will be decoded and encoded twice with a potential loss in quality.
3. It's clumsy.

With Hugo 0.119.0 the above can be written as:

handlebars
{{ $watermark := resources.Get "logo.jpg" | images.Filter
(images.GaussianBlur 6)
(images.Opacity 0.5)
(images.Process "png")
}}


Bug fixes

* Fix tests for Go 1.21.1 79a17d9e5 bep 11450
* Fix recently broken benchmark 18ce85462 bep

Improvements

* common: Remove unused constants 6b65b2fae alexandear
* Add images.Process filter 6a246d115 bep 8439
* Add $image.Process ef0e7149d bep 11483
* google_analytics_async.html: Add deprecation warning c32094ace carlmjohnson
* Add images.Opacity filter f9b3c0f48 bep 11471
* Upgrade to Go 1.21.1 1e9b87f76 bep 11474 11414
* create/skeletons: Improve viewport meta tag f9163155d jmooring
* commands/gen: Remove default highlight style 75c0f8828 jmooring 11445
* Adjust baseline benchmarks 69f5bad40 bep
* commands: Print language code after web server address info 525bed991 ilmari-lauhakangas

Dependency Updates

* build(deps): bump golang.org/x/tools from 0.12.0 to 0.13.0 a262fd4dd dependabot[bot]
* build(deps): bump github.com/alecthomas/chroma/v2 from 2.8.0 to 2.9.1 f0d32455d dependabot[bot]
* build(deps): bump github.com/evanw/esbuild from 0.19.2 to 0.19.3 e8bc8e6d0 dependabot[bot]
* build(deps): bump github.com/aws/aws-sdk-go from 1.44.314 to 1.45.14 11fcda971 dependabot[bot]
* build(deps): bump github.com/getkin/kin-openapi from 0.118.0 to 0.120.0 f31375d4c dependabot[bot]
* build(deps): bump golang.org/x/image from 0.11.0 to 0.12.0 6415b599b dependabot[bot]

Documentation

* docs: Even more about images.Process a9d19dbdd bep
* docs: More about images.Process 12d713176 bep
* docs: Regen docshelper 1768684d8 bep
* commands: Update CLI docs with the important -u flag in hugo mod get 275c0acbf bep

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.1

CVSS v3 Details

MEDIUM 6.1
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
REQUIRED
Scope (S)
CHANGED
Confidentiality Impact (C)
LOW
Integrity Impact (I)
LOW
Availability Availability (A)
NONE