Package: python3-bleach Version: 3.1.1-0+deb10u1 Severity: serious Tags: security upstream
>From the upstream CHANGES for 3.1.2, which I just noticed: **Security fixes** * ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS. Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS. This security issue was confirmed in Bleach version v3.1.1. Earlier versions are likely affected too. Anyone using Bleach <=v3.1.1 is encouraged to upgrade. https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 The mozilla bug is not public Scott K