Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: d5a1546f by Salvatore Bonaccorso at 2020-02-27T13:43:49+01:00 Revert "Update python-bleach TEMP-0951907-7D0FFB (#951907) to indicate jessie/stretch not affected" The code was several times quite refactored, but the issue is present as well in older versions. See https://bugs.debian.org/951907#42 and following. In particular upstream did back in b07814e0753c ("Extract all html5lib things into a shim module") in v3.0.0 did split some code from bleach.sanitizer to bleach.html5lib_shim, and before in 67afdf8ae7d3 ("Prevent HTMLTokenizer from unescaping entities") in v2.1 was quite refactored. But the issue which arises when 'cleaning' when noscript and one of the mentioned raw text tags are whitelisted is present in earlier versions even. Tested in explicitly in 2.0-1 and 1.4-1. This reverts commit b2007687dcd7a17c62cfb47af81b08e99add8f08. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -210,8 +210,6 @@ CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the Admin Dashboard -> Set CVE-2020-6802 [mutation XSS vulnerability] RESERVED - python-bleach 3.1.1-1 (bug #951907) - [stretch] - python-bleach <not-affected> (Vulnerable code introduced later) - [jessie] - python-bleach <not-affected> (Vulnerable code introduced later) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1615315 (not public) NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r NOTE: https://github.com/mozilla/bleach/commit/f77e0f6392177a06e46a49abd61a4d9f035e57fd View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a1546fb68258e1720f77086e8c19281f2c6aed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a1546fb68258e1720f77086e8c19281f2c6aed You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits