--- Begin Message ---
Subject: |
python-lxml is vulnerable to CVE-2021-28957 |
Date: |
Mon, 22 Mar 2021 15:09:24 +0100 |
User-agent: |
Evolution 3.34.2 |
CVE-2021-28957 21.03.21 06:15
lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
html/defs.py) for later use in input sanitization, but does not do the
same for the HTML5 formaction attribute.
Upstream fixed it in 4.6.3 (
https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
), so we should probably upgrade to that.
Has lots of dependents so I suppose it needs grafting? Is that useful
and does it work for Python packages?
Léo
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#47319: python-lxml is vulnerable to CVE-2021-28957 |
Date: |
Tue, 22 Mar 2022 22:32:52 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi,
Léo Le Bouter <lle-bout@zaclys.net> writes:
> CVE-2021-28957 21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.
>
> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.
This is the current version in Guix.
Closing; thanks!
Maxim
--- End Message ---