Advisories » MGASA-2021-0260

Updated python-bleach packages fix a security vulnerability

Publication date: 16 Jun 2021
Modification date: 16 Jun 2021
Type: security
Affected Mageia releases : 7 , 8
CVE: CVE-2021-23980

Description

It was reported that python-bleach, a whitelist-based HTML-sanitizing 
library, is prone to a mutation XSS vulnerability in bleach.clean when "svg" 
or "math" are in the allowed tags, 'p' or "br" are in allowed tags, "style", 
"title", "noscript", "script", "textarea", "noframes", "iframe", or "xmp" are 
in allowed tags and 'strip_comments=False' is set (CVE-2021-23980).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=28986
• https://www.debian.org/security/2021/dsa-4892.en.html
• https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YFAKMJGUZHUTZ53ZAID6PRVP5MSLXPGV/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980

SRPMS

8/core

• python-bleach-3.3.0-1.mga8

7/core

• python-bleach-3.1.4-1.1.mga7