Bug 26379 - python-bleach new security issue CVE-2020-6816
Summary: python-bleach new security issue CVE-2020-6816
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Nicolas Salguero
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on: 26445
Blocks:
  Show dependency treegraph
 
Reported: 2020-03-24 23:37 CET by David Walser
Modified: 2020-04-20 16:06 CEST (History)
2 users (show)

See Also:
Source RPM: python-bleach-3.1.1-1.mga7.src.rpm
CVE: CVE-2020-6816
Status comment:


Attachments

Description David Walser 2020-03-24 23:37:07 CET
Debian has issued an advisory on March 20:
https://www.debian.org/security/2020/dsa-4643

The issue is fixed upstream in 3.1.2.

Mageia 7 is also affected.
David Walser 2020-03-24 23:37:16 CET

Whiteboard: (none) => MGA7TOO

David Walser 2020-03-24 23:37:25 CET

Status comment: (none) => Fixed upstream in 3.1.2

Comment 1 Nicolas Salguero 2020-03-25 10:34:45 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False. (CVE-2020-6816)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6816
https://www.debian.org/security/2020/dsa-4643
========================

Updated packages in core/updates_testing:
========================
python2-bleach-3.1.2-1.mga7
python3-bleach-3.1.2-1.mga7

from SRPMS:
python-bleach-3.1.2-1.mga7.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 7
CVE: (none) => CVE-2020-6816
Whiteboard: MGA7TOO => (none)
Source RPM: python-bleach-3.1.1-1.mga8.src.rpm => python-bleach-3.1.1-1.mga7.src.rpm
Status comment: Fixed upstream in 3.1.2 => (none)

Comment 2 Len Lawrence 2020-03-27 19:50:09 CET
mga7, x86_64

Examples of use at:
https://www.programcreek.com/python/example/60247/bleach.clean
Downloaded the test_basics.py file from the flasky project but it is not much use without the whole project.  Don't know how to install that from GitHub so I guess this has to be a case of a clean update unless somebody in QA can handle GitHub.

The update runs OK.

CC: (none) => tarazed25

David Walser 2020-04-06 22:39:14 CEST

Depends on: (none) => 26445

Nicolas Salguero 2020-04-07 09:46:56 CEST

CC: (none) => nicolas.salguero
Assignee: qa-bugs => nicolas.salguero

Comment 3 David Walser 2020-04-20 16:06:38 CEST
Fixed in:
https://advisories.mageia.org/MGASA-2020-0176.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.