unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#47319: python-lxml is vulnerable to CVE-2021-28957
@ 2021-03-22 14:09 Léo Le Bouter via Bug reports for GNU Guix
  2021-03-23 15:29 ` Léo Le Bouter via Bug reports for GNU Guix
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-22 14:09 UTC (permalink / raw)
  To: 47319

[-- Attachment #1: Type: text/plain, Size: 488 bytes --]

CVE-2021-28957	21.03.21 06:15
lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
html/defs.py) for later use in input sanitization, but does not do the
same for the HTML5 formaction attribute.

Upstream fixed it in 4.6.3 (
https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
), so we should probably upgrade to that.

Has lots of dependents so I suppose it needs grafting? Is that useful
and does it work for Python packages?

Léo

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-03-23  2:34 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-22 14:09 bug#47319: python-lxml is vulnerable to CVE-2021-28957 Léo Le Bouter via Bug reports for GNU Guix
2021-03-23 15:29 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-23 17:55 ` Leo Famulari
2021-04-05 23:54   ` Mark H Weaver
2022-03-23  2:32 ` Maxim Cournoyer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).