[Python-modules-team] Bug#951907: Suggested Stable Fix
Scott Kitterman
debian at kitterman.com
Thu Feb 27 13:05:58 GMT 2020
On February 27, 2020 12:18:53 PM UTC, Salvatore Bonaccorso <carnil at debian.org> wrote:
>Hi Scott,
>
>On Thu, Feb 27, 2020 at 06:24:09AM -0500, Scott Kitterman wrote:
>> On Thursday, February 27, 2020 2:44:48 AM EST Salvatore Bonaccorso
>wrote:
>> > Hi Scott,
>> >
>> > On Sat, Feb 22, 2020 at 07:20:34PM -0500, Scott Kitterman wrote:
>> > > Debdiff for proposed stable security update attached.
>> > >
>> > > The first hunk of the patch has the actual fix. I would prefer
>to use the
>> > > new ustream release rather than just patch the one line because
>of the
>> > > test improvements, of the explanation of the issue in the
>upstream
>> > > changeslog, and using the new upstream makes it clearer to
>external
>> > > reviewers we've done the fix. There are no unrelated changes.
>> >
>> > Okay let's fix this via a DSA.
>> > I checked the reverse dependencies and none seem to be particularly
>> > impacted, but given the primary use of the module is to sanitize
>input
>> > and is generic enough we should update.
>> >
>> > Can you set urgency=high for consistency, and add the now assigned
>CVE
>> > refeence (I did contact Mozilla CNA for it, and they assigned one,
>it
>> > is CVE-2020-6802).
>> >
>> > Many thanks for your work and apologies for the long delay.
>>
>> Thanks. No worries about the delay. I imagine this isn't the most
>severe
>> issue you are dealing with this week.
>>
>> I've dput the package to security-master, modified as above.
>
>Great many thanks, it got ACCEPTED and quickly tested it as well.
>Looks good.
>
>I think though we mgiht need to revisit the assessment that older
>versions are not affected. Look at the this quick and dirty test
>deduced from the testsuite:
...
I'll see if I can figure something out. In the older versions it's all passed to html5lib in a glob of kw args. I'm not sure if that means the problem in html5lib (bad defaults) or if there is a way to address it bleach.
It'll be at least Friday before I can look at it.
Scott K
More information about the Python-modules-team
mailing list