[Python-modules-team] Bug#951907: src:python-bleach: Security issue: mutation XSS vulnerability
Scott Kitterman
debian at kitterman.com
Sat Feb 22 23:07:22 GMT 2020
Package: src:python-bleach
Version: 3.1.0-1
Severity: serious
Tags: security upstream
>From the upstream change log:
**Security fixes**
* ``bleach.clean`` behavior parsing ``noscript`` tags did not match
browser behavior.
Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
the raw text tags (``title``, ``textarea``, ``script``, ``style``,
``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
to a mutation XSS.
This security issue was confirmed in Bleach versions v2.1.4, v3.0.2,
and v3.1.0. Earlier versions are probably affected too.
Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.
https://bugzilla.mozilla.org/show_bug.cgi?id=1615315
Note: The referenced bug is not currently publicly accessible.
More information about the Python-modules-team
mailing list