bug#47319: python-lxml is vulnerable to CVE-2021-28957

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

From: Leo Famulari <leo@famulari.name>
To: 47319@debbugs.gnu.org
Subject: bug#47319: python-lxml is vulnerable to CVE-2021-28957
Date: Tue, 23 Mar 2021 13:55:23 -0400	[thread overview]
Message-ID: <YFori3lHDKLjAEyE@jasmine.lan> (raw)
In-Reply-To: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>

[-- Attachment #1: Type: text/plain, Size: 1222 bytes --]

On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-28957	21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.

Thanks for the notification.

I checked on some other distros that, like us, try to avoid major
updates of packages with a lot of dependents:

https://security-tracker.debian.org/tracker/CVE-2021-28957
https://access.redhat.com/security/cve/cve-2021-28957

So, both Debian and Red Hat are still shipping the vulnerable packages.
At least, we are in good company. We would monitor the Debian page and
copy their patch, if they decide to fix the bug.

> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.
> 
> Has lots of dependents so I suppose it needs grafting? Is that useful
> and does it work for Python packages?

Grafting Python packages is not something we've done in the past, as far
as I can tell from reading the Git log, although I don't recall know if
it works or not.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

next prev parent reply	other threads:[~2021-03-23 17:58 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-22 14:09 bug#47319: python-lxml is vulnerable to CVE-2021-28957 Léo Le Bouter via Bug reports for GNU Guix
2021-03-23 15:29 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-23 17:55 ` Leo Famulari [this message]
2021-04-05 23:54   ` Mark H Weaver
2022-03-23  2:32 ` Maxim Cournoyer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YFori3lHDKLjAEyE@jasmine.lan \
    --to=leo@famulari.name \
    --cc=47319@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).