[Git][security-tracker-team/security-tracker][master] Update tracking for lxml issue

Wed Dec 16 20:45:36 GMT 2020


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c511de24 by Salvatore Bonaccorso at 2020-12-16T21:41:31+01:00
Update tracking for lxml issue

After checking with Red Hat secalert and upstream lxml they it is not
agreed to thread those two as different issues but both vectors covered
by CVE-2020-27783.

According to upstream both issues were discovered togheter. Nor the
choosen description nor the bugzilla back then threaded them
differently.

Red Hat secalert has updated accordingly comment #0 in bugzilla.

Upstream comment:
https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
..

That said: no idea why then only one commit landed in 4.6.1 and the
other in 4.6.2.

For Debian LTS this means: upload another iteration of lxml with the
second fix applied and use DLA-2467-2 accordingly as 'security update'
(and not regression update).

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -533,10 +533,6 @@ CVE-2020-35218
 	RESERVED
 CVE-2020-35217
 	RESERVED
-CVE-2020-XXXX [lxml sanitisng in math/svg, similar to CVE-2020-27783]
-	- lxml 4.6.2-1
-	[buster] - lxml 4.3.2-1+deb10u1
-	NOTE: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7 (lxml-4.6.2)
 CVE-2020-35216
 	RESERVED
 CVE-2020-35215
@@ -9598,8 +9594,9 @@ CVE-2020-27784
 	RESERVED
 CVE-2020-27783 (A XSS vulnerability was discovered in python-lxml's clean module. The  ...)
 	{DSA-4810-1 DLA-2467-1}
-	- lxml 4.6.1-1
+	- lxml 4.6.2-1
 	NOTE: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e (lxml-4.6.1)
+	NOTE: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7 (lxml-4.6.2)
 CVE-2020-27782
 	RESERVED
 CVE-2020-27781



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c511de24594a6e1e6a1b4a9bcc7348c0feec7b9a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c511de24594a6e1e6a1b4a9bcc7348c0feec7b9a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201216/532f5ed9/attachment.html>
