26286 – python-bleach new security issue CVE-2020-6802

Bug 26286 - python-bleach new security issue CVE-2020-6802

Summary: python-bleach new security issue CVE-2020-6802

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-03-02 21:00 CET by David Walser
Modified:	2020-03-06 17:15 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	python-bleach-3.1.0-2.mga7.src.rpm
CVE:	CVE-2020-6802
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-03-02 21:00:54 CET

Debian-LTS has issued an advisory on February 28:
https://www.debian.org/security/2020/dsa-4636

The issue is fixed upstream in 3.1.1.

Mageia 7 is also affected.

David Walser 2020-03-02 21:01:39 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-03-02 21:02:39 CET

(In reply to David Walser from comment #0)
> Debian-LTS has issued an advisory on February 28:
> https://www.debian.org/security/2020/dsa-4636

Correction, Debian, not Debian-LTS.

David Walser 2020-03-02 21:11:26 CET

Status comment: (none) => Fixed upstream in 3.1.1

Comment 2 Lewis Smith 2020-03-03 18:48:45 CET

No choice but to assign this one globally.

Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2020-03-04 11:01:44 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Mutation XSS in bleach.clean when noscript and raw tag whitelisted. (CVE-2020-6802)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6802
https://www.debian.org/security/2020/dsa-4636
========================

Updated packages in core/updates_testing:
========================
python2-bleach-3.1.1-1.mga7
python3-bleach-3.1.1-1.mga7

from SRPMS:
python-bleach-3.1.1-1.mga7.src.rpm

Status comment: Fixed upstream in 3.1.1 => (none)
Whiteboard: MGA7TOO => (none)
CVE: (none) => CVE-2020-6802
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Version: Cauldron => 7
Status: NEW => ASSIGNED
Source RPM: python-bleach-3.1.0-4.mga8.src.rpm => python-bleach-3.1.0-2.mga7.src.rpm

Comment 4 Herman Viaene 2020-03-05 14:29:52 CET

MGA7-64 Plasma on Lenovo B50
No installation issues
Checked, this is developer's terrain. OK on clean install unless someone objects.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Len Lawrence 2020-03-05 16:59:21 CET

+1 Herman.  It looks easy to test if you have a wonky html script but I would not know one if it was right under my nose.

CC: (none) => tarazed25

Comment 6 Thomas Andrews 2020-03-05 17:44:29 CET

+1 here, too guys. Validating on a clean install it is. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-03-06 16:29:38 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-03-06 17:15:58 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0125.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.