Source: lxml Version: 4.6.2-1 Severity: important Tags: security upstream Forwarded: https://bugs.launchpad.net/lxml/+bug/1888153 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for lxml. CVE-2021-28957[0]: | lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in | html/defs.py) for later use in input sanitization, but does not do the | same for the HTML5 formaction attribute. Upstream bug [1] is not currently public at time of writing, but a pull request exists [2]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-28957 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957 [1] https://bugs.launchpad.net/lxml/+bug/1888153 [2] https://github.com/lxml/lxml/pull/316 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
