bug#47319: python-lxml is vulnerable to CVE-2021-28957

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47319: python-lxml is vulnerable to CVE-2021-28957

From:	Léo Le Bouter
Subject:	bug#47319: python-lxml is vulnerable to CVE-2021-28957
Date:	Mon, 22 Mar 2021 15:09:24 +0100
User-agent:	Evolution 3.34.2

CVE-2021-28957  21.03.21 06:15
lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
html/defs.py) for later use in input sanitization, but does not do the
same for the HTML5 formaction attribute.

Upstream fixed it in 4.6.3 (
https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
), so we should probably upgrade to that.

Has lots of dependents so I suppose it needs grafting? Is that useful
and does it work for Python packages?

Léo

signature.asc
Description: This is a digitally signed message part

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47319: python-lxml is vulnerable to CVE-2021-28957, Léo Le Bouter <=
- bug#47319: python-lxml is vulnerable to CVE-2021-28957, Léo Le Bouter, 2021/03/23
- bug#47319: python-lxml is vulnerable to CVE-2021-28957, Leo Famulari, 2021/03/23

Prev by Date: bug#47315: Inkscape is missing imagemagick
Next by Date: bug#47265: Guix System: improve support for intentional statefullness.
Previous by thread: bug#47315: Inkscape is missing imagemagick
Next by thread: bug#47319: python-lxml is vulnerable to CVE-2021-28957
Index(es):
- Date
- Thread