On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-28957	21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.

Thanks for the notification.

I checked on some other distros that, like us, try to avoid major
updates of packages with a lot of dependents:

https://security-tracker.debian.org/tracker/CVE-2021-28957
https://access.redhat.com/security/cve/cve-2021-28957

So, both Debian and Red Hat are still shipping the vulnerable packages.
At least, we are in good company. We would monitor the Debian page and
copy their patch, if they decide to fix the bug.

> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.
> 
> Has lots of dependents so I suppose it needs grafting? Is that useful
> and does it work for Python packages?

Grafting Python packages is not something we've done in the past, as far
as I can tell from reading the Git log, although I don't recall know if
it works or not.