Bug 26286

Summary: python-bleach new security issue CVE-2020-6802
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, nicolas.salguero, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: python-bleach-3.1.0-2.mga7.src.rpm CVE: CVE-2020-6802
Status comment:

Description David Walser 2020-03-02 21:00:54 CET 
Debian-LTS has issued an advisory on February 28:
https://www.debian.org/security/2020/dsa-4636

The issue is fixed upstream in 3.1.1.

Mageia 7 is also affected.
David Walser 2020-03-02 21:01:39 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-03-02 21:02:39 CET 
(In reply to David Walser from comment #0)
> Debian-LTS has issued an advisory on February 28:
> https://www.debian.org/security/2020/dsa-4636

Correction, Debian, not Debian-LTS.
David Walser 2020-03-02 21:11:26 CET

Status comment: (none) => Fixed upstream in 3.1.1

Comment 2 Lewis Smith 2020-03-03 18:48:45 CET 
No choice but to assign this one globally.

Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2020-03-04 11:01:44 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Mutation XSS in bleach.clean when noscript and raw tag whitelisted. (CVE-2020-6802)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6802
https://www.debian.org/security/2020/dsa-4636
========================

Updated packages in core/updates_testing:
========================
python2-bleach-3.1.1-1.mga7
python3-bleach-3.1.1-1.mga7

from SRPMS:
python-bleach-3.1.1-1.mga7.src.rpm

Status comment: Fixed upstream in 3.1.1 => (none)
Whiteboard: MGA7TOO => (none)
CVE: (none) => CVE-2020-6802
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Version: Cauldron => 7
Status: NEW => ASSIGNED
Source RPM: python-bleach-3.1.0-4.mga8.src.rpm => python-bleach-3.1.0-2.mga7.src.rpm

Comment 4 Herman Viaene 2020-03-05 14:29:52 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
Checked, this is developer's terrain. OK on clean install unless someone objects.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Len Lawrence 2020-03-05 16:59:21 CET 
+1 Herman.  It looks easy to test if you have a wonky html script but I would not know one if it was right under my nose.

CC: (none) => tarazed25

Comment 6 Thomas Andrews 2020-03-05 17:44:29 CET 
+1 here, too guys. Validating on a clean install it is. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-03-06 16:29:38 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-03-06 17:15:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0125.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED