MGASA-2021-0260 - Updated python-bleach packages fix a security vulnerability

Publication date: 16 Jun 2021
URL: https://advisories.mageia.org/MGASA-2021-0260.html
Type: security
Affected Mageia releases: 7, 8
CVE: CVE-2021-23980

It was reported that python-bleach, a whitelist-based HTML-sanitizing 
library, is prone to a mutation XSS vulnerability in bleach.clean when "svg" 
or "math" are in the allowed tags, 'p' or "br" are in allowed tags, "style", 
"title", "noscript", "script", "textarea", "noframes", "iframe", or "xmp" are 
in allowed tags and 'strip_comments=False' is set (CVE-2021-23980).

References:
- https://bugs.mageia.org/show_bug.cgi?id=28986
- https://www.debian.org/security/2021/dsa-4892.en.html
- https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
- https://lists.opensuse.org/archives/list/[email protected]/thread/YFAKMJGUZHUTZ53ZAID6PRVP5MSLXPGV/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980

SRPMS:
- 7/core/python-bleach-3.1.4-1.1.mga7
- 8/core/python-bleach-3.3.0-1.mga8