From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id KPEBCFcsWmBiQwAA0tVLHw
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 23 Mar 2021 17:58:47 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id yBDEA1csWmDfAQAAB5/wlQ
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 23 Mar 2021 17:58:47 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 55B64A71F
	for <larch@yhetil.org>; Tue, 23 Mar 2021 18:58:46 +0100 (CET)
Received: from localhost ([::1]:36440 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1lOlIg-00030m-HN
	for larch@yhetil.org; Tue, 23 Mar 2021 13:58:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:46808)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lOlG6-0005Mz-L4
 for bug-guix@gnu.org; Tue, 23 Mar 2021 13:56:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:49620)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lOlG6-0003Cq-A3
 for bug-guix@gnu.org; Tue, 23 Mar 2021 13:56:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lOlG6-0005SG-76
 for bug-guix@gnu.org; Tue, 23 Mar 2021 13:56:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#47319: python-lxml is vulnerable to CVE-2021-28957
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Tue, 23 Mar 2021 17:56:02 +0000
Resent-Message-ID: <handler.47319.B.161652213220906@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 47319
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: security
To: 47319@debbugs.gnu.org
X-Debbugs-Original-To: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU
 Guix <bug-guix@gnu.org>
X-Debbugs-Original-Cc: 47319@debbugs.gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.161652213220906
 (code B ref -1); Tue, 23 Mar 2021 17:56:02 +0000
Received: (at submit) by debbugs.gnu.org; 23 Mar 2021 17:55:32 +0000
Received: from localhost ([127.0.0.1]:32928 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lOlFb-0005R8-WD
 for submit@debbugs.gnu.org; Tue, 23 Mar 2021 13:55:32 -0400
Received: from lists.gnu.org ([209.51.188.17]:55582)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1lOlFZ-0005Qz-Bt
 for submit@debbugs.gnu.org; Tue, 23 Mar 2021 13:55:30 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:46686)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1lOlFZ-0004G3-0e
 for bug-guix@gnu.org; Tue, 23 Mar 2021 13:55:29 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:60287)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1lOlFX-0002mI-41
 for bug-guix@gnu.org; Tue, 23 Mar 2021 13:55:28 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 0E8EC5C0126;
 Tue, 23 Mar 2021 13:55:26 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute4.internal (MEProxy); Tue, 23 Mar 2021 13:55:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=QOTozZ+IG0AxfbKU0Ulntp0g
 Jw2+/rXrj4klH5h7DZM=; b=QHy/PSxe7Ki+LP15vi6bKMHK+w4zCsZpbmkeJwgQ
 miJBL7U+M+7VRH1LwnNTRygrZj8wbnLw9rpNgWvJHGcgbG9HP4FOQbcD8vwxQZI5
 r5xbao/09w/EyB/ZHYQWicms5OXzvCJ33CC8DJNB1he2c1dbU6FobtqMpcwconni
 T8U=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=QOTozZ
 +IG0AxfbKU0Ulntp0gJw2+/rXrj4klH5h7DZM=; b=jjUR0kCgIou6hrTs1Exqv1
 qdVy/rTW8vPF5HWTZbK5gHgAB5PxHC9CVqmo/dEdIuOdPvCGW21ssEnn8read5LJ
 AJ9l18c0xSG5RnN8/6h2KLR1dvL7+cCWeRBV500gdOHFLRdpMcy2PyBC+tDZrKP6
 xp3aHRx5z3d/JvnJCCSPIDVMV2bB2IW/6XWk/1q5zKFEqBrbnmFu+ARoQJ7+kff+
 cPyaICp76zGsjEpjuG7GYbAzC6Y1HBiFyXjGIMVFE7Iq4PchKtBcct3DeFLgIgSj
 UPCXIPobEA9R8vyvLQN2WsAcyOcO3PKUt5vPhOvhxmdDkhx6hn1kTkUgmLO9i/Tg
 ==
X-ME-Sender: <xms:jStaYIe2FthNbHgETDKnnFRTEbp2uZ8h_zHcvCCevwyMUQTAf42ZTg>
 <xme:jStaYB1d9zMKW6_ehjsMvi1ZKgah2tqnjsCmq2n1D7RI__zw73T2V20UP36Ccw5qC
 mUxvtZAdiFOk1QJdA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudegiedguddtiecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
 enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtudenucfhrhhomhepnfgvohcu
 hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth
 htvghrnhepgfelhffhjeelfeeuteefhfdtjeeiueduledvvdeitdegudelffefffeiveef
 gfejnecuffhomhgrihhnpeguvggsihgrnhdrohhrghdprhgvughhrghtrdgtohhmpdhgih
 hthhhusgdrtghomhenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgv
 rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrh
 hirdhnrghmvg
X-ME-Proxy: <xmx:jStaYHKuH-nO0fNWWcYjflwU2qptlvl1sVOZAPsqkPbs8qlcxHOVHw>
 <xmx:jStaYIFw3PnhpZLM_xJ2Idl05XFy4srkTizJdH645-tjTecemfNpFA>
 <xmx:jStaYLXqxHlG6Cro6BLPVoVfPOhaBqFGO8_FeHUgiezC63Tsu7FuFA>
 <xmx:jitaYHvfYvc-dB4ZOmlyid7_GDX9zfuRY1vJUGyj4hkvf-lfqcqQHQ>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id 886B2240422;
 Tue, 23 Mar 2021 13:55:25 -0400 (EDT)
Date: Tue, 23 Mar 2021 13:55:23 -0400
From: Leo Famulari <leo@famulari.name>
Message-ID: <YFori3lHDKLjAEyE@jasmine.lan>
References: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="ebP/cDqkhHao4V5E"
Content-Disposition: inline
In-Reply-To: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>
Received-SPF: pass client-ip=66.111.4.28; envelope-from=leo@famulari.name;
 helo=out4-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1616522326;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post:
	 dkim-signature; bh=QOTozZ+IG0AxfbKU0Ulntp0gJw2+/rXrj4klH5h7DZM=;
	b=AXVTFKacUuQA6D4leIyukaJNLj9+lFd/H42vHlgIp2aFC0pHJBAqF9ruCsHqmipllCHuK7
	V+S0Rvv3638/A50unTVzT0yj83pZ0aXjAH7AgbjpVBHqmMqpTJRFO6fToDH0lozRhMxRgC
	hA0yU6fu/q8nF5usDZnbN2xhy1hHdeVudezNhjRmOR2Xq6oJMMwAlvsXuILL+61sAQNaZw
	99FF83UI7E/XA+PDhHK5lI33XRnX6rXrQ0amry11P7NCKzBH0zvGv9VkIkzSfeJLZu2/xo
	vonW5K4nQWOsUAvz1gKo6a1Pv6XbalKD1sfijZq/76Bgvq/k7coZV8C9naD+Lg==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616522326; a=rsa-sha256; cv=none;
	b=ECbg/wINzG21fB1tSPRU/UQJGYthCjU7d7fS2vZn5qFNNnhtkNN0QNX9QuUuBZx9aVr6nq
	k+uxw91LX2HSZ3d9MxTLC1QUi2D2XWZEkJzNj09yPKbMjxQw6cO7wkKrGmV46VNt7yH4Ta
	n8OE9wxUEiKntes31FLU9Gp6gdQxdOWL7lRrXH9TXIWA21H+cACK3SreXl/xqbxxZiwBHj
	96IYRLeCVMvnF+NipHH6wSDfjVlPsiNQnxwSQF+Ai1zx+XG1U6wrIryBgTJ5bruMSAMDAF
	l0WF0hwUzlXViCs3rSgfBcrL3InraQgunNgnljQ+8iePbtr/8dBo/Hea0WOduA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="QHy/PSxe";
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=jjUR0kCg;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Spam-Score: -3.52
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="QHy/PSxe";
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=jjUR0kCg;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Queue-Id: 55B64A71F
X-Spam-Score: -3.52
X-Migadu-Scanner: scn0.migadu.com
X-TUID: sjcNAY0t854M


--ebP/cDqkhHao4V5E
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Mar 22, 2021 at 03:09:24PM +0100, L=E9o Le Bouter via Bug reports f=
or GNU Guix wrote:
> CVE-2021-28957	21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.

Thanks for the notification.

I checked on some other distros that, like us, try to avoid major
updates of packages with a lot of dependents:

https://security-tracker.debian.org/tracker/CVE-2021-28957
https://access.redhat.com/security/cve/cve-2021-28957

So, both Debian and Red Hat are still shipping the vulnerable packages.
At least, we are in good company. We would monitor the Debian page and
copy their patch, if they decide to fix the bug.

> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208=
a0d
> ), so we should probably upgrade to that.
>=20
> Has lots of dependents so I suppose it needs grafting? Is that useful
> and does it work for Python packages?

Grafting Python packages is not something we've done in the past, as far
as I can tell from reading the Git log, although I don't recall know if
it works or not.

--ebP/cDqkhHao4V5E
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBaK4sACgkQJkb6MLrK
fwhdMg/9GgzP+0ZAyXvDVEPTqPJthZBfzVvldEWSswoPwb2paSpcfTEKk7WeQxCe
uZdQ073oav+wD8pFXH/vxPKC0sCsIpVTnICz7GfK7j/rMBiJ3KnOzAi9aZNkZlAo
73Rqk4814k+NC4uUBnvI+7661v9mbcDPVeW6vlxRnRp9lMkRQo6ZWsjEVj9BwMyW
NpxsVW73o6At3HkIRHg6XY9Whyfh7zyn2AcoZoV2lUs8xXd6a0W5xVkRfrF6wDXX
aYH4A10995QG1CqJHouiNxmT4uS6NymLMcPj/FSjiib9V61JRyoyf/q6bzFepZ1O
Z3S1ukJdZdiJo3OYpGufm+xjSbabAThFAk+3VufwhuABEfQuhkRFkgqHycenHxcs
Zzf3M1zZaUVxna//Zm6ThFFzE3qXbanWepIUCFpor3ylooEc8h0mNLP2Wy19JDNG
2pBMl+JqBDf8whksFaJMHp3wSG5F1YG3/+mJdjURgTpuimcF6Uz/lKW1ipoagFcF
c+KHjQxLna3VJAglZvaKp8CrTyjfENpLuzR/ssnv7iSuVwb2Bqdd4ds3PgeX7EgU
VjDwpiVF2DvnwoaiiWkXjRI/0pbky4ov2Dn7rCzBwZz254jkA4MTS4/ireJWmpNU
8XbTCjVRYDito5SCULWlzXjIHR2b8XdOsCzMYWrY2gcNEX5nVyQ=
=S52E
-----END PGP SIGNATURE-----

--ebP/cDqkhHao4V5E--