Debian has issued an advisory on April 18:
The issue is fixed upstream in 3.3.0:
Mageia 7 is also affected.
Fixed upstream in 3.3.0
Assigning to Python group; CC'ing Joseph (registered maintainer) in hope.
openSUSE has issued an advisory for this on April 14:
Done for mga8 and mga7!
Fixed upstream in 3.3.0 =>
Harking back to bug 26445, this looks very difficult to test, but there may be a PoC at https://bugzilla.mozilla.org/show_bug.cgi?id=1689399
If this goes anywhere shall report back and update and test again. Otherwise the default option.
If you run this code:
print( bleach.__version__ )
html = '<math></p><style><!--</style><img src/onerror=alert(1)>'
e = bleach.clean( html, tags=['math', 'p', 'style'], strip_comments=False )
print( e )
the output is:
Copy that into poc.html and navigate from a browser to that file;
That presents a --> symbol with an alert box containing 1 and an OK button which clears the alert.
Updated the package and ran the poc test again.
$ python3 poc.py
Modified the poc.html file and presented it to a browser again. That shows a blank page.
Cannot say that I fully understand the point of this but it is probably a good result.
No point in proceeding any further with this without knowing what we are doing so passing this on the basis of a clean update and a possibly successful poc test.
Referring to comment 6, ran the poc tests for python2 and python3 and saw exactly the same results as reported before and after the updates.
Giving this an OK on the same grounds as the mga8 test.
MGA7TOO MGA8-64-OK =>
MGA7TOO MGA7-64-OK MGA8-64-OK
Sometimes that's all we can do, Len. Validating.
Updated python-bleach packages fix a security vulnerability:
It was reported that python-bleach, a whitelist-based HTML-sanitizing library, is prone to a mutation XSS vulnerability in bleach.clean when "svg" or "math" are in the allowed tags, 'p' or "br" are in allowed tags, "style", "title", "noscript", "script", "textarea", "noframes", "iframe", or "xmp" are in allowed tags and 'strip_comments=False' is set (CVE-2021-23980).
Updated packages in 7/core/updates_testing:
Updated packages in 8/core/updates_testing:
An update for this issue has been pushed to the Mageia Updates repository.