Your message dated Thu, 19 Mar 2020 04:19:36 +0000 with message-id <e1jemee-000gbi...@fasolo.debian.org> and subject line Bug#954236: fixed in python-bleach 3.1.3-1 has caused the Debian Bug report #954236, regarding python3-bleach: New secuirty issue: mutation XSS (again) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 954236: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954236 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python3-bleach Version: 3.1.1-0+deb10u1 Severity: serious Tags: security upstream >From the upstream CHANGES for 3.1.2, which I just noticed: **Security fixes** * ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS. Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS. This security issue was confirmed in Bleach version v3.1.1. Earlier versions are likely affected too. Anyone using Bleach <=v3.1.1 is encouraged to upgrade. https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 The mozilla bug is not public Scott K
--- End Message ---
--- Begin Message ---Source: python-bleach Source-Version: 3.1.3-1 Done: Scott Kitterman <sc...@kitterman.com> We believe that the bug you reported is fixed in the latest version of python-bleach, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 954...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Scott Kitterman <sc...@kitterman.com> (supplier of updated python-bleach package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 19 Mar 2020 00:04:59 -0400 Source: python-bleach Architecture: source Version: 3.1.3-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Scott Kitterman <sc...@kitterman.com> Closes: 954236 Changes: python-bleach (3.1.3-1) unstable; urgency=medium . * Tests re-enabled now the python3.7/3.8 have reverted the problematic change * New upstream security release (Closes: #954236) Checksums-Sha1: 94bf7daf961e3c1e50249c6aa27a804c1e46e97b 2521 python-bleach_3.1.3-1.dsc 17ac84c2081e006a3b3cf524c8c5ec11d0dae47f 161167 python-bleach_3.1.3.orig.tar.gz c610c4c1670e99baf05704d9eb17031a60c02689 5252 python-bleach_3.1.3-1.debian.tar.xz 203ce7ac2fe3d809c6261f41fa596b0cb39fbe1e 7024 python-bleach_3.1.3-1_source.buildinfo Checksums-Sha256: 436d16f21c230f33bb57544101ffee80ac7311c1ae781ea2714f351d8fbfee4e 2521 python-bleach_3.1.3-1.dsc beb2210a4a6e307270b3884469e5f44e3d83f512b9e17973d9a649c73c029cb3 161167 python-bleach_3.1.3.orig.tar.gz 1415c2505c92f8f05f82572475cc1dd6186fc6d37d6f79cd96531fddc99820cd 5252 python-bleach_3.1.3-1.debian.tar.xz 0c2ec57f13687ff56471c1460e9237f89c4dcafc1e22b7b3a289728f9a4dc914 7024 python-bleach_3.1.3-1_source.buildinfo Files: d8cf83629cb4459846c37c8adf094048 2521 python optional python-bleach_3.1.3-1.dsc 995410de0eff35dcbe4ed1c25d29cb8e 161167 python optional python-bleach_3.1.3.orig.tar.gz dad26d4beaa06932b14fee44db43939b 5252 python optional python-bleach_3.1.3-1.debian.tar.xz d6ac6a910868bfc92ce4f33c35aaf876 7024 python optional python-bleach_3.1.3-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAl5y74QACgkQeNfe+5rV mvFnUxAAgntSKEQI01b3dfQ+EJ3YNvC8irOXQDd0s34gH1OJ00MBnw+40Jf+Bg5m G4sPCXeguDuTSQH5GAiDNEDAOOwgS4rVN17HdxLlS75Ts55E8jCaWu3HEyJYkBrO yYkxX47CkeTJbqOD1cbVU9upE8A60/q8Kb4V1m2m3xHTq5V457Q9JR8GhudJ/QI7 dCnXnA1X6kQaBl+IX5Uq5VbCoPrYuxXAXuWtl8/jFlkvHROO6Qj5mgG7IpCfROBI NzBgtWe3ucNyVxnhENZs39hsJajgWrX6u7rdIiGelg07MezaW3H9SAmqN+Hc8xnu tyNhCN1TzbS0YhPRu0l3Dvro5eSUZw5J2Wq5RoWOQgGiD78/ZPkA3YD8BgxVQtqj c2dlbT3Bf1Rw7RNbKqexc0yTXgBlGvI8k7doUlQlcxd2VSf8s4d+Yv/B79/zB9lH /huiXWeGR7K1XFsD9p1p7W/xVq5O13WnbupHBL6rPTRJjajZNubMmrw+03N8jdbF i5J5gFttzEUhAj9cJzHw931takCMA1QncLgTmJnloaHiXrdAWPJAWnzCVk4F1OPZ Ia0AyP9pxgyN5KR/1phyhFD/lJP0YbUsSGmwO9JZjKnOVJVmAOkdLB3lOugBGcDM pwRp38LEj32gHduWJ1br6q9TTsmmnjhPAxOR3fkT4ktTVSMouqw= =Shx1 -----END PGP SIGNATURE-----
--- End Message ---
