[Git][security-tracker-team/security-tracker][master] Revert "Update python-bleach TEMP-0951907-7D0FFB (#951907) to indicate jessie/stretch not affected"

Thu, 27 Feb 2020 04:47:17 -0800 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d5a1546f by Salvatore Bonaccorso at 2020-02-27T13:43:49+01:00
Revert "Update python-bleach TEMP-0951907-7D0FFB (#951907) to indicate 
jessie/stretch not affected"

The code was several times quite refactored, but the issue is present as
well in older versions. See https://bugs.debian.org/951907#42 and
following. In  particular upstream did back in b07814e0753c ("Extract
all html5lib things into a shim module") in v3.0.0 did split some code
from bleach.sanitizer to bleach.html5lib_shim, and before in
67afdf8ae7d3 ("Prevent HTMLTokenizer from unescaping entities") in 
v2.1
was quite refactored.

But the issue which arises when 'cleaning' when noscript and one of the
mentioned raw text tags are whitelisted is present in earlier versions
even. Tested in explicitly in 2.0-1 and 1.4-1.

This reverts commit b2007687dcd7a17c62cfb47af81b08e99add8f08.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -210,8 +210,6 @@ CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the 
Admin Dashboard -> Set
 CVE-2020-6802 [mutation XSS vulnerability]
        RESERVED
        - python-bleach 3.1.1-1 (bug #951907)
-       [stretch] - python-bleach <not-affected> (Vulnerable code introduced 
later)
-       [jessie] - python-bleach <not-affected> (Vulnerable code introduced 
later)
        NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1615315 (not public)
        NOTE: 
https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r
        NOTE: 
https://github.com/mozilla/bleach/commit/f77e0f6392177a06e46a49abd61a4d9f035e57fd



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a1546fb68258e1720f77086e8c19281f2c6aed

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a1546fb68258e1720f77086e8c19281f2c6aed
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to