[Python-modules-team] Bug#954236: Proposed Buster Fix (pyhon3-bleach: New secuirty issue: mutation XSS (again))
Scott Kitterman
debian at kitterman.com
Fri Mar 20 17:57:25 GMT 2020
On Thursday, March 19, 2020 6:24:22 PM EDT Salvatore Bonaccorso wrote:
> Hi Scott,
>
> On Thu, Mar 19, 2020 at 12:20:25AM -0400, Scott Kitterman wrote:
> > Upstream's 3.1.2 release had just the security fix in it. I propose
> > updating buster with it (I put 3.1.3 in unstable, but it had non-security
> > fixes in it.
> >
> > I'm not 100% sure about if we need to modify the import path for the new
> > test since we don't use the vendored html5lib, but other than that (which
> > I will investigate), this should be good.
>
> Given we did release a DSA for the similar issue CVE-2020-6802 for
> buster we can do the same as well now for this issue (it got assigned
> CVE-2020-6816).
>
> Your plan to rebase to 3.1.2 looks good to me.
>
> Once you have the update ready please just come back to us, if
> possible add the CVE id reference as it was assigned now, but more
> importantly please adjust the debian/changelog (the target
> distribution needs to be buster-security).
>
> many thanks for your work!
I've uploaded it to security-master (didn't get the accept yet, so you should
see it shortly.
I added the CVE reference and changed the target distribution.
In addition to test building, I ran the autopkgtests locally and it all
passed, so it should be good to go.
Scott K
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20200320/bb51c329/attachment.sig>
More information about the Python-modules-team
mailing list