[Python-modules-team] Bug#951907: marked as done (python-bleach: CVE-2020-6802: mutation XSS vulnerability)

[Debian Bug Tracking System]

Your message dated Thu, 05 Mar 2020 18:47:32 +0000
with message-id <e1j9vwu-000cbs...@fasolo.debian.org>
and subject line Bug#951907: fixed in python-bleach 3.1.1-0+deb10u1
has caused the Debian Bug report #951907,
regarding python-bleach: CVE-2020-6802: mutation XSS vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
951907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951907
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: src:python-bleach
Version: 3.1.0-1
Severity: serious
Tags: security upstream

>From the upstream change log:

**Security fixes**

* ``bleach.clean`` behavior parsing ``noscript`` tags did not match
  browser behavior.

  Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
  the raw text tags (``title``, ``textarea``, ``script``, ``style``,
  ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
  to a mutation XSS.

  This security issue was confirmed in Bleach versions v2.1.4, v3.0.2,
  and v3.1.0. Earlier versions are probably affected too.

  Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.

  https://bugzilla.mozilla.org/show_bug.cgi?id=1615315

Note: The referenced bug is not currently publicly accessible.

--- End Message ---

--- Begin Message ---

Source: python-bleach
Source-Version: 3.1.1-0+deb10u1
Done: Scott Kitterman <sc...@kitterman.com>

We believe that the bug you reported is fixed in the latest version of
python-bleach, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 951...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Kitterman <sc...@kitterman.com> (supplier of updated python-bleach 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 27 Feb 2020 05:53:52 -0500
Source: python-bleach
Architecture: source
Version: 3.1.1-0+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Python Modules Team 
<python-modules-t...@lists.alioth.debian.org>
Changed-By: Scott Kitterman <sc...@kitterman.com>
Closes: 951907
Changes:
 python-bleach (3.1.1-0+deb10u1) buster-security; urgency=high
 .
   * New upstream security release (Closes: #951907)
     - Addresses CVE-2020-6802
Checksums-Sha1:
 15a6cd94de1317a034d1e9e643e47d1c4b91c73c 2923 python-bleach_3.1.1-0+deb10u1.dsc
 0d6f78f7500c7a852d0541e0e640ea026260ba22 159327 python-bleach_3.1.1.orig.tar.gz
 d0a191906673908975c6ebb4e7bb211f84429162 5224 
python-bleach_3.1.1-0+deb10u1.debian.tar.xz
 91af28a82c6ebb893e6a299412a1c8a0caa4b18a 7497 
python-bleach_3.1.1-0+deb10u1_source.buildinfo
Checksums-Sha256:
 a2572fb89f4cd5dd8abc6388e52f7bd534045d613f6ace0be9c0689b280d6b48 2923 
python-bleach_3.1.1-0+deb10u1.dsc
 a0ae451602b230d023fa0c7f7b202536bc3b4110eff96b42a51b17a83958b0fe 159327 
python-bleach_3.1.1.orig.tar.gz
 9a58264f20f6ddf169852a41336f6222a025c85f80975fc689dbdba29d2eb25e 5224 
python-bleach_3.1.1-0+deb10u1.debian.tar.xz
 20d400f71812087b10ad9a891495c7957c26c6f38bc672d77d14e0bbf30da260 7497 
python-bleach_3.1.1-0+deb10u1_source.buildinfo
Files:
 0b7818829d113461af4e7ee1d92e2a87 2923 python optional 
python-bleach_3.1.1-0+deb10u1.dsc
 e2abcdd4045991ef595ed01267082c06 159327 python optional 
python-bleach_3.1.1.orig.tar.gz
 3602e0a6321ad169942d81a0f750e8ed 5224 python optional 
python-bleach_3.1.1-0+deb10u1.debian.tar.xz
 e1b475a6143eef5c9ce8483f105851fe 7497 python optional 
python-bleach_3.1.1-0+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAl5Xn9MACgkQeNfe+5rV
mvGDPQ//R4lTI31YGsEWTJPlHBKa8c7Bdrq5KGWst0T9x9pyMk0dEReVkWuBmhIJ
ohD4C8BIDMbpClKHxk8I2CNxTk5bHUfMSxBSC/elQQdDzfcX9/PrAWSQpxxDDRYF
v/BwfKKAwSz6T4p/vTVcraEFHyHxJnfdgPK9FRfk5F726Hvr9WT7AzflqhLldMpH
jxzWXHcOVsQGSPIC8hxuEoNJArmcywCg/TEByiYmRXscluG0pUM0QypJ/VNcLn9v
wj8y5xOLhCB8jc/y5mrdX1rmtAKaWr8eoJeUvqjhSMcuHsT5lnMbVjmIF8lHlOjR
RHpR0Oc3MzmuveiXiq/aCnSkN821kWTm7bvKMzFoBZiehWtp/9WACvPUILR397kj
9s63tECEkmCy7gtB16ApY2K7+PKr6BcTcf2oa5FmwxKowCDGd4MDHsyL+qjkT5im
0p1qAHcmnUzBF1kxL3Xgtto/BfGSilhnbZkbm7WIlBZrILbNYk1agzjoVyGNstmJ
NGyL/ypoUVFnK+QdzA3HsNC/vYu2sAeF6/d68mi6sHCxKFxF0rCV3uDguRRYG50c
xMBPbr1n/e9jMYUUXOy6IDw841cB0oeNKL5tQ8TmTO7Buj0JjN1GDUCBqR8CmMgq
hKlYNQD779KAWAhXgHpOBI7+MPVqPK8eknRxr3eisrOBm5cIVYs=
=pkEk
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Python-modules-team mailing list
Python-modules-team@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team