Debian-LTS has issued an advisory on February 28: https://www.debian.org/security/2020/dsa-4636 The issue is fixed upstream in 3.1.1. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
(In reply to David Walser from comment #0) > Debian-LTS has issued an advisory on February 28: > https://www.debian.org/security/2020/dsa-4636 Correction, Debian, not Debian-LTS.
Status comment: (none) => Fixed upstream in 3.1.1
No choice but to assign this one globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: Mutation XSS in bleach.clean when noscript and raw tag whitelisted. (CVE-2020-6802) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6802 https://www.debian.org/security/2020/dsa-4636 ======================== Updated packages in core/updates_testing: ======================== python2-bleach-3.1.1-1.mga7 python3-bleach-3.1.1-1.mga7 from SRPMS: python-bleach-3.1.1-1.mga7.src.rpm
Status comment: Fixed upstream in 3.1.1 => (none)Whiteboard: MGA7TOO => (none)CVE: (none) => CVE-2020-6802Assignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salgueroVersion: Cauldron => 7Status: NEW => ASSIGNEDSource RPM: python-bleach-3.1.0-4.mga8.src.rpm => python-bleach-3.1.0-2.mga7.src.rpm
MGA7-64 Plasma on Lenovo B50 No installation issues Checked, this is developer's terrain. OK on clean install unless someone objects.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
+1 Herman. It looks easy to test if you have a wonky html script but I would not know one if it was right under my nose.
CC: (none) => tarazed25
+1 here, too guys. Validating on a clean install it is. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0125.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED