[Python-modules-team] Bug#954236: Proposed Buster Fix (pyhon3-bleach: New secuirty issue: mutation XSS (again))
Salvatore Bonaccorso
carnil at debian.org
Fri Mar 20 20:06:54 GMT 2020
Hi Scott,
On Fri, Mar 20, 2020 at 01:57:25PM -0400, Scott Kitterman wrote:
> On Thursday, March 19, 2020 6:24:22 PM EDT Salvatore Bonaccorso wrote:
> > Hi Scott,
> >
> > On Thu, Mar 19, 2020 at 12:20:25AM -0400, Scott Kitterman wrote:
> > > Upstream's 3.1.2 release had just the security fix in it. I propose
> > > updating buster with it (I put 3.1.3 in unstable, but it had non-security
> > > fixes in it.
> > >
> > > I'm not 100% sure about if we need to modify the import path for the new
> > > test since we don't use the vendored html5lib, but other than that (which
> > > I will investigate), this should be good.
> >
> > Given we did release a DSA for the similar issue CVE-2020-6802 for
> > buster we can do the same as well now for this issue (it got assigned
> > CVE-2020-6816).
> >
> > Your plan to rebase to 3.1.2 looks good to me.
> >
> > Once you have the update ready please just come back to us, if
> > possible add the CVE id reference as it was assigned now, but more
> > importantly please adjust the debian/changelog (the target
> > distribution needs to be buster-security).
> >
> > many thanks for your work!
>
> I've uploaded it to security-master (didn't get the accept yet, so you should
> see it shortly.
>
> I added the CVE reference and changed the target distribution.
>
> In addition to test building, I ran the autopkgtests locally and it all
> passed, so it should be good to go.
Thank you!
DSA 4643-1 with your update released!
Regards,
Salvatore
More information about the Python-modules-team
mailing list