<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<h3>

Salvatore Bonaccorso pushed to branch master

at <a href="https://salsa.debian.org/security-tracker-team/security-tracker">Debian Security Tracker / security-tracker</a>

</h3>

<h4>

Commits:

</h4>

<ul>

<li>

<strong><a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a1546fb68258e1720f77086e8c19281f2c6aed">d5a1546f</a></strong>

<div>

<span>by Salvatore Bonaccorso</span>

<i>at 2020-02-27T13:43:49+01:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "Update python-bleach TEMP-0951907-7D0FFB (#951907) to indicate jessie/stretch not affected"

The code was several times quite refactored, but the issue is present as

well in older versions. See https://bugs.debian.org/951907#42 and

following. In  particular upstream did back in b07814e0753c ("Extract

all html5lib things into a shim module") in v3.0.0 did split some code

from bleach.sanitizer to bleach.html5lib_shim, and before in

67afdf8ae7d3 ("Prevent HTMLTokenizer from unescaping entities") in v2.1

was quite refactored.

But the issue which arises when 'cleaning' when noscript and one of the

mentioned raw text tags are whitelisted is present in earlier versions

even. Tested in explicitly in 2.0-1 and 1.4-1.

This reverts commit b2007687dcd7a17c62cfb47af81b08e99add8f08.

</pre>

</li>

</ul>

<h4>1 changed file:</h4>

<ul>

<li class="file-stats">

<a href="#4716ef5aa8f2742228ba3b3633215c8b808565e3">

data/CVE/list

</a>

</li>

</ul>

<h4>Changes:</h4>

<li id="4716ef5aa8f2742228ba3b3633215c8b808565e3">

<a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a1546fb68258e1720f77086e8c19281f2c6aed#4716ef5aa8f2742228ba3b3633215c8b808565e3"><strong>data/CVE/list</strong></a>

<hr>

No preview for this file type

<br>

</li>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

<a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a1546fb68258e1720f77086e8c19281f2c6aed">View it on GitLab</a>.

<br>

You're receiving this email because of your account on salsa.debian.org.

If you'd like to receive fewer emails, you can

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Commit","url":"https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a1546fb68258e1720f77086e8c19281f2c6aed"}}</script>

</p>

</div>

</body>

</html>