Debian-LTS has issued an advisory on November 27: https://www.debian.org/lts/security/2020/dla-2467 The issue is fixed upstream in 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
Various people have touched this in recent times, so assigning it globally. CC'ing Philippe in case.
Assignee: bugsquad => pkg-bugsCC: (none) => makowski.mageia
Suggested advisory: ======================== The updated packages fix a security vulnerability: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. (CVE-2020-27783) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27783 https://www.debian.org/lts/security/2020/dla-2467 ======================== Updated packages in core/updates_testing: ======================== python2-lxml-4.3.0-1.1.mga7 python3-lxml-4.3.0-1.1.mga7 python-lxml-docs-4.3.0-1.1.mga7 from SRPM: python-lxml-4.3.0-1.1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salgueroCVE: (none) => CVE-2020-27783Status: NEW => ASSIGNED
Ubuntu has issued an advisory for this today (December 9): https://ubuntu.com/security/notices/USN-4666-1 They say this commit is also needed for the Mageia 7 update: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
Severity: normal => majorCC: (none) => qa-bugsAssignee: qa-bugs => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. (CVE-2020-27783) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27783 https://www.debian.org/lts/security/2020/dla-2467 https://ubuntu.com/security/notices/USN-4666-1 ======================== Updated packages in core/updates_testing: ======================== python2-lxml-4.3.0-1.2.mga7 python3-lxml-4.3.0-1.2.mga7 python-lxml-docs-4.3.0-1.2.mga7 from SRPM: python-lxml-4.3.0-1.2.mga7.src.rpm
Assignee: nicolas.salguero => qa-bugs
CC: qa-bugs => (none)
No installation issues. Reaching all the way back to Bug 13326 for a testing procedure... (Thank you, Claire!) $ python Python 2.7.18 (default, Nov 20 2020, 06:51:30) [GCC 8.4.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from lxml.html.clean import clean_html >>> >>> html = '''\ ... <html> ... <body> ... <a href="javascript:alert(0)"> ... aaa</a> ... <a href="javas\x01cript:alert(1)">bbb</a> ... <a href="javas\x02cript:alert(1)">bbb</a> ... <a href="javas\x03cript:alert(1)">bbb</a> ... <a href="javas\x04cript:alert(1)">bbb</a> ... <a href="javas\x05cript:alert(1)">bbb</a> ... <a href="javas\x06cript:alert(1)">bbb</a> ... <a href="javas\x07cript:alert(1)">bbb</a> ... <a href="javas\x08cript:alert(1)">bbb</a> ... <a href="javas\x09cript:alert(1)">bbb</a> ... </body> ... </html>''' >>> >>> print clean_html(html) <div> <body> <a href=""> aaa</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> </body> </div> This result is the same as that in Bug 13326, so I'm passing this on. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
Fedora has issued advisory for this on January 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/
Advisory pushed to SVN.
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0038.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED