[Python-modules-team] Bug#951907: src:python-bleach: Security issue: mutation XSS vulnerability

Scott Kitterman debian at kitterman.com
Sat Feb 22 23:07:22 GMT 2020


Package: src:python-bleach
Version: 3.1.0-1
Severity: serious
Tags: security upstream

>From the upstream change log:

**Security fixes**

* ``bleach.clean`` behavior parsing ``noscript`` tags did not match
  browser behavior.

  Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
  the raw text tags (``title``, ``textarea``, ``script``, ``style``,
  ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
  to a mutation XSS.

  This security issue was confirmed in Bleach versions v2.1.4, v3.0.2,
  and v3.1.0. Earlier versions are probably affected too.

  Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.

  https://bugzilla.mozilla.org/show_bug.cgi?id=1615315

Note: The referenced bug is not currently publicly accessible.



More information about the Python-modules-team mailing list