[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47319: python-lxml is vulnerable to CVE-2021-28957
|
From: |
Leo Famulari |
|
Subject: |
bug#47319: python-lxml is vulnerable to CVE-2021-28957 |
|
Date: |
Tue, 23 Mar 2021 13:55:23 -0400 |
On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU
Guix wrote:
> CVE-2021-28957 21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.
Thanks for the notification.
I checked on some other distros that, like us, try to avoid major
updates of packages with a lot of dependents:
https://security-tracker.debian.org/tracker/CVE-2021-28957
https://access.redhat.com/security/cve/cve-2021-28957
So, both Debian and Red Hat are still shipping the vulnerable packages.
At least, we are in good company. We would monitor the Debian page and
copy their patch, if they decide to fix the bug.
> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.
>
> Has lots of dependents so I suppose it needs grafting? Is that useful
> and does it work for Python packages?
Grafting Python packages is not something we've done in the past, as far
as I can tell from reading the Git log, although I don't recall know if
it works or not.
signature.asc
Description: PGP signature