Mageia 2021-0260: python-bleach security update
Summary
It was reported that python-bleach, a whitelist-based HTML-sanitizing
library, is prone to a mutation XSS vulnerability in bleach.clean when "svg"
or "math" are in the allowed tags, 'p' or "br" are in allowed tags, "style",
"title", "noscript", "script", "textarea", "noframes", "iframe", or "xmp" are
in allowed tags and 'strip_comments=False' is set (CVE-2021-23980).
References
- https://bugs.mageia.org/show_bug.cgi?id=28986
- https://www.debian.org/security/2021/dsa-4892.en.html
- https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YFAKMJGUZHUTZ53ZAID6PRVP5MSLXPGV/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980
Resolution
MGASA-2021-0260 - Updated python-bleach packages fix a security vulnerability
SRPMS
- 7/core/python-bleach-3.1.4-1.1.mga7
- 8/core/python-bleach-3.3.0-1.mga8