Debian has issued an advisory on March 20: https://www.debian.org/security/2020/dsa-4643 The issue is fixed upstream in 3.1.2. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 3.1.2
Suggested advisory: ======================== The updated packages fix a security vulnerability: In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False. (CVE-2020-6816) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6816 https://www.debian.org/security/2020/dsa-4643 ======================== Updated packages in core/updates_testing: ======================== python2-bleach-3.1.2-1.mga7 python3-bleach-3.1.2-1.mga7 from SRPMS: python-bleach-3.1.2-1.mga7.src.rpm
Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugsVersion: Cauldron => 7CVE: (none) => CVE-2020-6816Whiteboard: MGA7TOO => (none)Source RPM: python-bleach-3.1.1-1.mga8.src.rpm => python-bleach-3.1.1-1.mga7.src.rpmStatus comment: Fixed upstream in 3.1.2 => (none)
mga7, x86_64 Examples of use at: https://www.programcreek.com/python/example/60247/bleach.clean Downloaded the test_basics.py file from the flasky project but it is not much use without the whole project. Don't know how to install that from GitHub so I guess this has to be a case of a clean update unless somebody in QA can handle GitHub. The update runs OK.
CC: (none) => tarazed25
Depends on: (none) => 26445
CC: (none) => nicolas.salgueroAssignee: qa-bugs => nicolas.salguero
Fixed in: https://advisories.mageia.org/MGASA-2020-0176.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED