Various people have touched this in recent times, so assigning it globally.
CC'ing Philippe in case.

Assignee: bugsquad => pkg-bugs
CC: (none) => makowski.mageia

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. (CVE-2020-27783)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27783
https://www.debian.org/lts/security/2020/dla-2467
========================

Updated packages in core/updates_testing:
========================
python2-lxml-4.3.0-1.1.mga7
python3-lxml-4.3.0-1.1.mga7
python-lxml-docs-4.3.0-1.1.mga7

from SRPM:
python-lxml-4.3.0-1.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2020-27783
Status: NEW => ASSIGNED

Ubuntu has issued an advisory for this today (December 9):
https://ubuntu.com/security/notices/USN-4666-1

They say this commit is also needed for the Mageia 7 update:
https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7

Severity: normal => major
CC: (none) => qa-bugs
Assignee: qa-bugs => nicolas.salguero

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. (CVE-2020-27783)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27783
https://www.debian.org/lts/security/2020/dla-2467
https://ubuntu.com/security/notices/USN-4666-1
========================

Updated packages in core/updates_testing:
========================
python2-lxml-4.3.0-1.2.mga7
python3-lxml-4.3.0-1.2.mga7
python-lxml-docs-4.3.0-1.2.mga7

from SRPM:
python-lxml-4.3.0-1.2.mga7.src.rpm

No installation issues.

Reaching all the way back to Bug 13326 for a testing procedure...

(Thank you, Claire!)

$ python
Python 2.7.18 (default, Nov 20 2020, 06:51:30) 
[GCC 8.4.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from lxml.html.clean import clean_html
>>> 
>>> html = '''\
... <html>
... <body>
... <a href="javascript:alert(0)">
... aaa</a>
... <a href="javas\x01cript:alert(1)">bbb</a>
... <a href="javas\x02cript:alert(1)">bbb</a>
... <a href="javas\x03cript:alert(1)">bbb</a>
... <a href="javas\x04cript:alert(1)">bbb</a>
... <a href="javas\x05cript:alert(1)">bbb</a>
... <a href="javas\x06cript:alert(1)">bbb</a>
... <a href="javas\x07cript:alert(1)">bbb</a>
... <a href="javas\x08cript:alert(1)">bbb</a>
... <a href="javas\x09cript:alert(1)">bbb</a>
... </body>
... </html>'''
>>> 
>>> print clean_html(html)
<div>
<body>
<a href="">
aaa</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
</body>
</div>

This result is the same as that in Bug 13326, so I'm passing this on.

Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Fedora has issued advisory for this on January 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/

Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0038.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED