Your message dated Sat, 22 Feb 2020 23:50:06 +0000 with message-id <e1j5ex8-0009pp...@fasolo.debian.org> and subject line Bug#951907: fixed in python-bleach 3.1.1-1 has caused the Debian Bug report #951907, regarding src:python-bleach: Security issue: mutation XSS vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 951907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951907 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: src:python-bleach Version: 3.1.0-1 Severity: serious Tags: security upstream >From the upstream change log: **Security fixes** * ``bleach.clean`` behavior parsing ``noscript`` tags did not match browser behavior. Calls to ``bleach.clean`` allowing ``noscript`` and one or more of the raw text tags (``title``, ``textarea``, ``script``, ``style``, ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable to a mutation XSS. This security issue was confirmed in Bleach versions v2.1.4, v3.0.2, and v3.1.0. Earlier versions are probably affected too. Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade. https://bugzilla.mozilla.org/show_bug.cgi?id=1615315 Note: The referenced bug is not currently publicly accessible.
--- End Message ---
--- Begin Message ---Source: python-bleach Source-Version: 3.1.1-1 Done: Scott Kitterman <sc...@kitterman.com> We believe that the bug you reported is fixed in the latest version of python-bleach, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 951...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Scott Kitterman <sc...@kitterman.com> (supplier of updated python-bleach package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 22 Feb 2020 18:21:10 -0500 Source: python-bleach Architecture: source Version: 3.1.1-1 Distribution: unstable Urgency: high Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Scott Kitterman <sc...@kitterman.com> Closes: 951907 Changes: python-bleach (3.1.1-1) unstable; urgency=high . * New upstream security release (Closes: #951907) * Temporarily disable tests due to #945522 in order to get this security update published Checksums-Sha1: c1eb5cd57c54f49250c51b1cfab232c211a52716 2376 python-bleach_3.1.1-1.dsc 0d6f78f7500c7a852d0541e0e640ea026260ba22 159327 python-bleach_3.1.1.orig.tar.gz 6e61e03a84ac260e1cf8934bf1e709f7dbe6e131 5052 python-bleach_3.1.1-1.debian.tar.xz 26dbef5cf5ff87050d20ca6649b7cb16502d5281 7024 python-bleach_3.1.1-1_source.buildinfo Checksums-Sha256: addaea48352e5ff41ed2e87e3c02e9068eb4dd9dbb48f4c93231af8360babf3d 2376 python-bleach_3.1.1-1.dsc a0ae451602b230d023fa0c7f7b202536bc3b4110eff96b42a51b17a83958b0fe 159327 python-bleach_3.1.1.orig.tar.gz 5862541a36b02196bd6ba79e315b126197faf7ea534a60198af69063034a6239 5052 python-bleach_3.1.1-1.debian.tar.xz 319462a7032c0b3b7737bc5f556fe78eba684e45f0a01b4d5ce610607cf9011c 7024 python-bleach_3.1.1-1_source.buildinfo Files: 5f8d407e92053600e1645fe66514dc95 2376 python optional python-bleach_3.1.1-1.dsc e2abcdd4045991ef595ed01267082c06 159327 python optional python-bleach_3.1.1.orig.tar.gz 54e084825691d63a5251bc40fb51206b 5052 python optional python-bleach_3.1.1-1.debian.tar.xz 052b4db07529084252d069c6a169edda 7024 python optional python-bleach_3.1.1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAl5Rt/EACgkQeNfe+5rV mvGF7Q/8Chox4FFzTLvlR42m77cPTdzcurQSM2ZSDrnzZYJXf+/8/86rcIM5d8rX Kgd9ZSCCfP0HFNMS9ZpUj470zX6anRX90H6ZoG+mD+XuacOyWkZkjbe2kOutKppC 04Bm7geyjHKNBCCOc46yKu/V/2+IXw/v0d/zK/yfgAl+/e+0sioVwXwZ0kXQ+uh/ 9LAwtN+9mgkvByiMW6QSAYeJgeLwFPnbzYhlOhxLQ+ZoX66IGRYiifUsKY5affDc jez+HCxNRTeqG5jc9kZkrobOa4QwuYigYeexSoNCFrjKDhCCmcv+JeCjFtvANajQ KRjPoKDWyngAV52rR9K9BGsyTcgYrQWi8075g3bHDCts29JtEAxBRw93UjLmaTGu RX9YPYs40rTHUdkrbFl+c22MB++zHJ2cF6WZq0Nmwrz41Vwgsbzr1PNjx3JTiYeG d9ehKs8Oh8GMyTWOeFgjHrYFs/sZZuHFzw/U57sbhrW9Oxhi9v3Qev5UE4Jvg/L9 25I1wd0pZJcPREWFEcUzVLaIAD1YzgYd8uUJWoP1W3ek7DhYcuEcrOWaovO46dwD H+db0ToO51NTOlhLUNJEZBdTCcSydSY0F1G84PICM1WlwzN5x9Cto6Ii2bB/SHM8 q1ja9nF+H95ttXBEQh2coLQsgS3K1V0lxdKNs+AnQp0u9giHfgE= =4jdE -----END PGP SIGNATURE-----
--- End Message ---
