[SECURITY] [DSA 4892-1] python-bleach security update


- ------------------------------------------------------------------------- Debian Security Advisory DSA-4892-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 18, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-bleach CVE ID : CVE-2021-23980 Debian Bug : 986251 It was reported that python-bleach, a whitelist-based HTML-sanitizing library, is prone to a mutation XSS vulnerability in bleach.clean when 'svg' or 'math' are in the allowed tags, 'p' or 'br' are in allowed tags, 'style', 'title', 'noscript', 'script', 'textarea', 'noframes', 'iframe', or 'xmp' are in allowed tags and 'strip_comments=False' is set. For the stable distribution (buster), this problem has been fixed in version 3.1.2-0+deb10u2. We recommend that you upgrade your python-bleach packages. For the detailed security status of python-bleach please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-bleach Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org

Affected Package

OS OS Version Package Name Package Version
Debian 9 python-bleach-doc 2.0-1+deb9u1
Debian 10 python-bleach 3.1.2-0+deb10u2
Debian 9 python-bleach 2.0-1+deb9u1
Debian 10 python-bleach-doc 3.1.2-0+deb10u2
Debian 10 python3-bleach 3.1.2-0+deb10u2
Debian 9 python3-bleach 2.0-1+deb9u1