GNU bug report logs

#47319 python-lxml is vulnerable to CVE-2021-28957

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #24 received at 47319-done@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47319-done) by debbugs.gnu.org; 23 Mar 2022 02:33:02 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 22 22:33:02 2022
Received: from localhost ([127.0.0.1]:42270 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1nWqo2-0000dV-5y
	for submit@debbugs.gnu.org; Tue, 22 Mar 2022 22:33:02 -0400
Received: from mail-qk1-f175.google.com ([209.85.222.175]:40816)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1nWqo0-0000d9-0P
 for 47319-done@debbugs.gnu.org; Tue, 22 Mar 2022 22:33:00 -0400
Received: by mail-qk1-f175.google.com with SMTP id i65so140835qkd.7
 for <47319-done@debbugs.gnu.org>; Tue, 22 Mar 2022 19:32:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version:content-transfer-encoding;
 bh=hY5mT7VxyRAikqZwaIN9CTYOEbZv4fs9GllZeMWSrNk=;
 b=qbBkxuLR1cDb90fniIInk8/VkeGtg3AfHjIH93TOFWsTeHgUJ1cTkcrFvjzIMmMGCL
 afUZ280tXSTkG3iUMNMZWP2K0HjpIiGgHtdK661zD1YjDqVXuBi1/xDMzbgjsS1J43G+
 nH+oW6ZvLslj2hZIrwOC5ijoQe2oRxiaiTVi8bvkd8HUxV8ymhYZWJLRrbrb07b583Fo
 UK9fOONcgVXLsjQOfC/Gkqf5Mc2ked+hE1B/RY5bdLbJlZe6vibQnE1CkXsz4cvMmWsB
 DkPj5Pvk1ceHpxsW3+Fbf35pkZ37NzmVtBlgKrpihNhBRlyNj+Nzmft88u9V9AA9lbAY
 ZRSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version:content-transfer-encoding;
 bh=hY5mT7VxyRAikqZwaIN9CTYOEbZv4fs9GllZeMWSrNk=;
 b=v6B4o+CtvCiyYQLfXTmJ6mZDV7v/gdqsrcLHYlRJFEKD9NInQjxTU/i1hrGYTYOiEU
 Ov5n9GM5q6miJngy8sBqjPbu+11/uf8FJ4n0tyUjP9WrYOBqq+nlIeXRFsyAxF5kGksQ
 XD70HNi0n2e3d9zjyvAXgarJ9g3Dxjc5DsfOIILPEQxGFEsbH0lgppkBRy/fOj2RjMTU
 SeIesIeqmXoYb+4NumVhgAxH0dxf3NTdWWP5HFI/wSPjYO6ekhdg+DedLYnhuFoW1lVE
 HGAcSj8mhT1SD5fIVZdwANASe/g5iH1lYYdfImBT1tn9PXUUVobDCmH0tZihYY4R0s6g
 PSmA==
X-Gm-Message-State: AOAM530YSTMqfSwutec1rup4dxBYz6dBEbYnWS0B7dj+DlB4fb0TP8Nq
 rJxVH3Ed7P4t4fOgfiHhVrVjhmdkUzk=
X-Google-Smtp-Source: ABdhPJxCRxjmsc4NTZ8ADXUPr1uud/TTZz3d4Wbx1C+WPD0RDeKYnUiC27ZwZoyAR7o0HiP4ZX7qRQ==
X-Received: by 2002:a05:620a:45a6:b0:67d:8bf6:2a49 with SMTP id
 bp38-20020a05620a45a600b0067d8bf62a49mr16789158qkb.161.1648002774408; 
 Tue, 22 Mar 2022 19:32:54 -0700 (PDT)
Received: from hurd (dsl-10-129-199.b2b2c.ca. [72.10.129.199])
 by smtp.gmail.com with ESMTPSA id
 m3-20020a05622a118300b002e1beed4908sm15524278qtk.3.2022.03.22.19.32.53
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 22 Mar 2022 19:32:53 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Léo Le Bouter <lle-bout@zaclys.net>
Subject: Re: bug#47319: python-lxml is vulnerable to CVE-2021-28957
References: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>
Date: Tue, 22 Mar 2022 22:32:52 -0400
In-Reply-To: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>
 ("Léo
 Le Bouter"'s message of "Mon, 22 Mar 2021 15:09:24 +0100")
Message-ID: <874k3p1jqj.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 47319-done
Cc: 47319-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

Léo Le Bouter <lle-bout@zaclys.net> writes:

> CVE-2021-28957	21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.
>
> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.

This is the current version in Guix.

Closing; thanks!

Maxim

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 02:12:56 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.