Your message dated Sun, 22 Mar 2020 19:52:17 +0000 with message-id <e1jg6dt-0007se...@fasolo.debian.org> and subject line Bug#954236: fixed in python-bleach 3.1.2-0+deb10u1 has caused the Debian Bug report #954236, regarding python-bleach: CVE-2020-6816: mutation XSS to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 954236: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954236 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python3-bleach Version: 3.1.1-0+deb10u1 Severity: serious Tags: security upstream >From the upstream CHANGES for 3.1.2, which I just noticed: **Security fixes** * ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS. Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS. This security issue was confirmed in Bleach version v3.1.1. Earlier versions are likely affected too. Anyone using Bleach <=v3.1.1 is encouraged to upgrade. https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 The mozilla bug is not public Scott K
--- End Message ---
--- Begin Message ---Source: python-bleach Source-Version: 3.1.2-0+deb10u1 Done: Scott Kitterman <sc...@kitterman.com> We believe that the bug you reported is fixed in the latest version of python-bleach, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 954...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Scott Kitterman <sc...@kitterman.com> (supplier of updated python-bleach package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 19 Mar 2020 00:14:11 -0400 Source: python-bleach Architecture: source Version: 3.1.2-0+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Scott Kitterman <sc...@kitterman.com> Closes: 954236 Changes: python-bleach (3.1.2-0+deb10u1) buster-security; urgency=high . * New upstream security release (Closes: #954236) - Addresses CVE-2020-6816 Checksums-Sha1: 897fe2266b40310ab04611d91aa5698d0592e03b 2923 python-bleach_3.1.2-0+deb10u1.dsc 6252011e6a456c7440e1ac7c1ca50c15b687ccda 159862 python-bleach_3.1.2.orig.tar.gz a50e015e7eaf23b7a9d122a3eccc4b260aa5490e 5268 python-bleach_3.1.2-0+deb10u1.debian.tar.xz 9f4ed8ebd3a62506f32c3416399a55d11102ff11 7497 python-bleach_3.1.2-0+deb10u1_source.buildinfo Checksums-Sha256: 1d7fdde1794c1c21338ab72624d6e42f742cde24a0ac1d215fffc3abcb9d5810 2923 python-bleach_3.1.2-0+deb10u1.dsc 9e4853bb0d84cb649a95ec2423214afe47e340b1fe80d089f5c30170f6fa3caf 159862 python-bleach_3.1.2.orig.tar.gz 261ca2d07938c4e4a3229bcff9c4d4aab3a81b020bacd2bb156baf431744ffbf 5268 python-bleach_3.1.2-0+deb10u1.debian.tar.xz dd694b4b58aae6d52da445f9c10a772e7ef51bbcd0ae9538d4732f3ca3bb0458 7497 python-bleach_3.1.2-0+deb10u1_source.buildinfo Files: 13ca5c577f888751e7d2891035fd799a 2923 python optional python-bleach_3.1.2-0+deb10u1.dsc cf28379755fd1ac4fe399e1c188d1ba0 159862 python optional python-bleach_3.1.2.orig.tar.gz 404ba1dba7abbe9955d006944fe05bd2 5268 python optional python-bleach_3.1.2-0+deb10u1.debian.tar.xz 0c96eb79364b3675e7972fcc6a7f23e0 7497 python optional python-bleach_3.1.2-0+deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAl51AvUACgkQeNfe+5rV mvEPERAAnLjqZY7Ewk49gPeFb2eDJ/lYGd7YMEu02MKuQSqAcMMiWy/0aq08j0GX HYyIqXcsG2Sf2AM/PN/LOc7udMV1yAukJnQQVA/khbEhQBVdSO+1yRCvkFqkX4Ry dvcMjvw8P1bME9V4f6HmuBZQaNfLRrrIWA1uFri2HlCV8lcKhaMZ4lGcEZg4qGFx 9DjFKhN4L0dwywlRCB8HPIn8w6S7te30My+4B0TJrV28OTA8j+eFPQja+/NzskHf FC53+DV4Sl58H9g8G7siHp3GtH4vs4pcvNv9yPSyW0z0mB1jHm9wpv8kxY4hsdM+ 9gGjhyG4pLXZWNLxwmlJg+uv1rYkEOzgSODmjUaesjCx+nM0j4KgIRR5N1gx9a+s pULuo/qB2TFAN784IexIIuctxC7kMEgnvCaEvteUjBDuAcBA+uHXkcLgvCaXNCvh 3W2UbvwRWP6hfbdlOQiT/mIqUgN/TNw5E7hAa7ntxXAmczDAb/mxBlaVPnUdfQKF yWbjsbNoSgvNbFol2tD8lSHDqVG/zZKbJKNY+UZHCAIukAppLFn+lkky+T38RKhJ 8ZmB0T77KsXNNCMvbbGteYwH3jXdYjqtUX6au+ybIecov0XZwkMXFHbxLqzfTojB eQx+I9gJvo3JzGzWfMxvpF33PFdS28DHewFFuaRwyowffbFpzsk= =1KET -----END PGP SIGNATURE-----
--- End Message ---
