On February 27, 2020 12:18:53 PM UTC, Salvatore Bonaccorso <car...@debian.org> wrote: >Hi Scott, > >On Thu, Feb 27, 2020 at 06:24:09AM -0500, Scott Kitterman wrote: >> On Thursday, February 27, 2020 2:44:48 AM EST Salvatore Bonaccorso >wrote: >> > Hi Scott, >> > >> > On Sat, Feb 22, 2020 at 07:20:34PM -0500, Scott Kitterman wrote: >> > > Debdiff for proposed stable security update attached. >> > > >> > > The first hunk of the patch has the actual fix. I would prefer >to use the >> > > new ustream release rather than just patch the one line because >of the >> > > test improvements, of the explanation of the issue in the >upstream >> > > changeslog, and using the new upstream makes it clearer to >external >> > > reviewers we've done the fix. There are no unrelated changes. >> > >> > Okay let's fix this via a DSA. >> > I checked the reverse dependencies and none seem to be particularly >> > impacted, but given the primary use of the module is to sanitize >input >> > and is generic enough we should update. >> > >> > Can you set urgency=high for consistency, and add the now assigned >CVE >> > refeence (I did contact Mozilla CNA for it, and they assigned one, >it >> > is CVE-2020-6802). >> > >> > Many thanks for your work and apologies for the long delay. >> >> Thanks. No worries about the delay. I imagine this isn't the most >severe >> issue you are dealing with this week. >> >> I've dput the package to security-master, modified as above. > >Great many thanks, it got ACCEPTED and quickly tested it as well. >Looks good. > >I think though we mgiht need to revisit the assessment that older >versions are not affected. Look at the this quick and dirty test >deduced from the testsuite:
... I'll see if I can figure something out. In the older versions it's all passed to html5lib in a glob of kw args. I'm not sure if that means the problem in html5lib (bad defaults) or if there is a way to address it bleach. It'll be at least Friday before I can look at it. Scott K _______________________________________________ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team