From unknown Wed Jun 25 10:49:53 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#47319 <47319@debbugs.gnu.org>
To: bug#47319 <47319@debbugs.gnu.org>
Subject: Status: python-lxml is vulnerable to CVE-2021-28957
Reply-To: bug#47319 <47319@debbugs.gnu.org>
Date: Wed, 25 Jun 2025 17:49:53 +0000

retitle 47319 python-lxml is vulnerable to CVE-2021-28957
reassign 47319 guix
submitter 47319 L=C3=A9o Le Bouter <lle-bout@zaclys.net>
severity 47319 normal
tag 47319 security

thanks


From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 22 10:09:37 2021
Received: (at submit) by debbugs.gnu.org; 22 Mar 2021 14:09:37 +0000
Received: from localhost ([127.0.0.1]:58189 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lOLFR-0007c2-0A
	for submit@debbugs.gnu.org; Mon, 22 Mar 2021 10:09:37 -0400
Received: from lists.gnu.org ([209.51.188.17]:49078)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lOLFP-0007bs-Jt
 for submit@debbugs.gnu.org; Mon, 22 Mar 2021 10:09:35 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37308)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lOLFP-0004YL-5y
 for bug-guix@gnu.org; Mon, 22 Mar 2021 10:09:35 -0400
Received: from mail.zaclys.net ([178.33.93.72]:59263)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lOLFM-0000bx-Ks
 for bug-guix@gnu.org; Mon, 22 Mar 2021 10:09:34 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12ME9Tx1000907
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@gnu.org>; Mon, 22 Mar 2021 15:09:29 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12ME9Tx1000907
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616422169;
 bh=AxcgpvwdUGHr0e+pTbxi0e3eUadUzH9pIjQMWrAKd5Y=;
 h=Subject:From:To:Date:From;
 b=knDUM4q3YYXGFmh9HT0+aSj3EC/5xxMEB1Q3OcDkc7i+EGF3Zz6ULIvXAenUj+NsH
 bNGg3PTrMQWaxokGxW+oQ5uDZt87hB6GLQo0W6K7VcjcymjbY2NAHa/Z0mR03Kz7Q+
 U3JSCQoLw7XXA/itsUJpPg/C7iOCLbmtzOhKMXJ0=
Message-ID: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>
Subject: python-lxml is vulnerable to CVE-2021-28957
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@zaclys.net>
To: bug-guix@gnu.org
Date: Mon, 22 Mar 2021 15:09:24 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-9giu6ciUzW3V66aTEfoj"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.4 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: CVE-2021-28957 21.03.21 06:15 lxml 4.6.2 places the HTML
 action
 attribute into defs.link_attrs (in html/defs.py) for later use in input
 sanitization, 
 but does not do the same for the HTML5 formaction [...] 
 Content analysis details:   (1.4 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 2.7 MAY_BE_FORGED          Relay IP's reverse DNS does not resolve to IP
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-9giu6ciUzW3V66aTEfoj
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

CVE-2021-28957	21.03.21 06:15
lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
html/defs.py) for later use in input sanitization, but does not do the
same for the HTML5 formaction attribute.

Upstream fixed it in 4.6.3 (
https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0=
d
), so we should probably upgrade to that.

Has lots of dependents so I suppose it needs grafting? Is that useful
and does it work for Python packages?

L=C3=A9o

--=-9giu6ciUzW3V66aTEfoj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBYpRQACgkQRaix6GvN
EKYDHw//Z5VOjkXvjZPSFtd5PE9T5GUroXUHlYapPfD5kkQuT+HlxW7egi6VpWVp
TTC1z0iQi+sEoJoLcZsYVUcPTjH1kRfbip2QL+32CAf1uEcZ+1jQKMqvIgnvETjO
e+8ZwvFrs08TC/RzGrRdZ+MbVL1IBTH0S6bH7CNqEj9CWkYHDXcaoFi/4SxeHgBq
/FB5tA/dFb3xxOa1yWIeW58zsMFI/h7PDArpDFQln+EKtf590beW25gosmLduuuO
RO1LioWyYM/5DlDwSLtfCRQr7va4AMQe+ChLpP4F1aTRgDLNxZaZBlp/XWPZTjVP
naxMy7A2iNP/XQpcc8tgteGl9QD7zMPC38iiYLh+rz/MKHaeyVxaembkPpsaJ873
HA3RPRP7flEvq4AZwqyT1Ch6yb0yU7ew85Oq/HdXzQmj5fMmZTHM5lh6B+MTIo5I
Hme1/NTaBMTGPsLFPyezNxwKm38Pwap5Se77PkX5CWO1xaMS7Tn8SzoKyPTvJU68
0bwaMbbnyi8ESnLrcfdOuIfLIdmzwyv9gmz9oXgj+n1NttRURBAjcWsbxbJGtDE7
BXrC2DGphwW4jhot6JAF7RnJE4FueWqwQgoVIESoRZNTQ2Jqs9lNIhryBanGru6+
OhoD2U07ZfemWDy5Zz6wcABAcFbQaU+N6lQEPJ73p5aHzBWxwtU=
=zH1O
-----END PGP SIGNATURE-----

--=-9giu6ciUzW3V66aTEfoj--





From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 22 10:10:29 2021
Received: (at control) by debbugs.gnu.org; 22 Mar 2021 14:10:29 +0000
Received: from localhost ([127.0.0.1]:58196 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lOLGH-0007eD-8x
	for submit@debbugs.gnu.org; Mon, 22 Mar 2021 10:10:29 -0400
Received: from mail.zaclys.net ([178.33.93.72]:39349)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lOLGF-0007e0-Ld
 for control@debbugs.gnu.org; Mon, 22 Mar 2021 10:10:28 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12MEALTE000988
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <control@debbugs.gnu.org>; Mon, 22 Mar 2021 15:10:21 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12MEALTE000988
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616422221;
 bh=WQUkSoYQ8a+SHgJo4WFKzUzCelpklXmz/im4QNCna+k=;
 h=Subject:From:To:Date:From;
 b=nH7RLcQvIYoyo+HRftFbzkZqU+1OC/lrrmcjTo8gAOxSMiVcVhspsFhDSR3SG/H7F
 MsuA2lT1UBQu/YHrFGKwFSUN1zSkGUadb+QgggDBlfYGiHQjBdzHH00FL4nqzLn5jb
 3JGVGwtBXLzu9A6I8AkJHTpZr8pYK7TVJnXjni/w=
Message-ID: <0fece03a442059eec9966ab9e1de32d02df89b81.camel@zaclys.net>
Subject: 
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@zaclys.net>
To: control@debbugs.gnu.org
Date: Mon, 22 Mar 2021 15:10:21 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-j7SQJinwLXMUgZPa6l2z"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
X-Spam-Score: 2.9 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  tags 47319 + security quit 
 Content analysis details:   (2.9 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 2.0 BLANK_SUBJECT          Subject is present but empty
 0.9 BODY_EMPTY             No body text in message
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 1.9 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  tags 47319 + security quit 
 
 Content analysis details:   (1.9 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager
  2.0 BLANK_SUBJECT          Subject is present but empty
  0.9 BODY_EMPTY             No body text in message


--=-j7SQJinwLXMUgZPa6l2z
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

tags 47319 + security
quit

--=-j7SQJinwLXMUgZPa6l2z
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBYpU0ACgkQRaix6GvN
EKZd6RAAreEpnf5HJrM0TtEn/7d+rWzBSk8zad80240AZoVKMtNrbK7+sF/+EM2V
rF1KpFw/HQLTrb71yWZ3jlFAj1cTEv/mjph9vWrFCgLsmDMRLr8nL9LgALHgZ9q1
plBMj6bP6kvvZAenMq9OExLjxQIDxeLHIvGCEg9qBHC/yDKs3nODINK2KL/v2GwE
uAHr7srPsJ/5UEF9AT4klXdqv++D+i0tqc62lGPh4uXoctoUkYko7weFeu6C9/qG
1viHvF4TUjKpfDGZ9LUCSCF7rDNur7PC1Fz5XPyrul9JkQCiGq/+37tInacmylmT
tmsDhLM4tRIlMs0yXQWHvLTQY/mb89GhfdoPeCHEnS+20vlE0aBT8dnIxOgy9NLq
DvAXcX2hZ20O8XkyUzt9q7C3CQbarCyqD0ZR2igvIkNhVkYrlkQG5kd2ag99wvJ0
8Z/E/kqgSGyoMA+jL+MBeybn+FgyVpkWThPzM2XuvbYNJzcHUhwhNEFL7ciqXCGj
4nNq+fifnMXhe5ZWKROqZi43GZekHS3gnnxiTPo0NHghqjf+olyTmp4FxxqdKWg3
e2nn88tmRBT6LK38nOHlEQSr6e/49cnV13xsY0dVo88DUYuuybBG6L9GD7bp2HjA
UyZ2p6+G/FzXVl60mG7U5/2WXjM2GVb6TuIVqegg/767hvF0/DU=
=2wr6
-----END PGP SIGNATURE-----

--=-j7SQJinwLXMUgZPa6l2z--





From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 11:30:07 2021
Received: (at 47319) by debbugs.gnu.org; 23 Mar 2021 15:30:08 +0000
Received: from localhost ([127.0.0.1]:32774 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lOiys-0001si-3R
	for submit@debbugs.gnu.org; Tue, 23 Mar 2021 11:30:07 -0400
Received: from mail.zaclys.net ([178.33.93.72]:56129)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lOiyb-0001rP-Ee
 for 47319@debbugs.gnu.org; Tue, 23 Mar 2021 11:30:04 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NFTggk040018
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <47319@debbugs.gnu.org>; Tue, 23 Mar 2021 16:29:43 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NFTggk040018
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616513383;
 bh=FRmZHpXQ7v4C144HVNEc/0H8nkoVVtgtrtdzCjozJqk=;
 h=Subject:From:To:Date:In-Reply-To:References:From;
 b=GX3oa2IaYCjqOxVzjRESY1TBRbmXOPBKJmxJeXHI988iLckiwZU2A48kmodYrl8iv
 na2b4gAolcJb12miGwiAkeDe+UAWOpNOjee7zkYfh65a0Np7MeWHrYCJt3fjq8PNOC
 LTOddymDIP8gWQDhL8MQardKdXJT6cYYda6VqFIg=
Message-ID: <cd5fd0c50f8229e7c8c729d810c373256590739b.camel@zaclys.net>
Subject: Re: bug#47319: python-lxml is vulnerable to CVE-2021-28957
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@zaclys.net>
To: 47319@debbugs.gnu.org
Date: Tue, 23 Mar 2021 16:29:42 +0100
In-Reply-To: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>
References: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-yxCsXLlka85UHeGZxsWG"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47319
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--=-yxCsXLlka85UHeGZxsWG
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I pushed a9d540cfa87ef3a5de3296188f650fb0d037efbd on core-updates, how
to fix it on master considering the amount of dependents remains to be
agreed on.

--=-yxCsXLlka85UHeGZxsWG
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBaCWYACgkQRaix6GvN
EKYZ5RAAxA7rpCn3jVM7cNV46DiRIScCvd7CP04IdEI0nzMw/10trQwDJ2Vd/kmf
dXA/Erao7Ut+ZF8BBiy+oqBsm0Ja5OVDxxaKYR5nXJWXj+asFsDTBozSzGPLzreP
d0Doe7r94v2VlCTxfEBNq+jRxeh+4Y337FFdkf5G3SP/ze29vkUst1nJjN7V6C0w
s4edASdh7vpFAiOGYXZR0UJZ9ELRjqbpAr8gPKuSi6USLbnzXGOhQUikeCUjJSOy
Aw3DAWG6wvkmcwO5ZTzDBpdI55bb8Sfx2dYgL1KmMBuloBr2wgidpGpgWW4+u7ZU
ko4NxGJw4Jt8D3mDU4jIdemrijGqEqSIBS+taXs7quJC8+tMTILkmMFdnxsbC5WQ
z4BZqRV8r3D1ShS6LNvM3kYKNAJfXiNBLWb3GXKbLtX6belQgnK84tXQadSbgBIi
tJuKx9hzXmtDtO6Xm9xZRdlDZXGwxjHporYGL/iphPDiz2hLRefDP4pmdtCnFT9F
DpjvBpn8kJTzox2aksW2nGzR4wBi2NcGnQofw4pmTlKo08q+mMhT/ajOEHThIdMV
QTAXiETvRculYuZT697MyrBX7sw+LyHBRFVn0D9pLWuupBmo47nrSixfKv2YEeya
a5vY1GOA163rvv8uOcMuELPfPYbNMz4v1JoaxSf5xsOWlCBdXuc=
=Cs4c
-----END PGP SIGNATURE-----

--=-yxCsXLlka85UHeGZxsWG--





From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 13:55:32 2021
Received: (at submit) by debbugs.gnu.org; 23 Mar 2021 17:55:32 +0000
Received: from localhost ([127.0.0.1]:32928 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lOlFb-0005R8-WD
	for submit@debbugs.gnu.org; Tue, 23 Mar 2021 13:55:32 -0400
Received: from lists.gnu.org ([209.51.188.17]:55582)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1lOlFZ-0005Qz-Bt
 for submit@debbugs.gnu.org; Tue, 23 Mar 2021 13:55:30 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:46686)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1lOlFZ-0004G3-0e
 for bug-guix@gnu.org; Tue, 23 Mar 2021 13:55:29 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:60287)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1lOlFX-0002mI-41
 for bug-guix@gnu.org; Tue, 23 Mar 2021 13:55:28 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 0E8EC5C0126;
 Tue, 23 Mar 2021 13:55:26 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute4.internal (MEProxy); Tue, 23 Mar 2021 13:55:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=QOTozZ+IG0AxfbKU0Ulntp0g
 Jw2+/rXrj4klH5h7DZM=; b=QHy/PSxe7Ki+LP15vi6bKMHK+w4zCsZpbmkeJwgQ
 miJBL7U+M+7VRH1LwnNTRygrZj8wbnLw9rpNgWvJHGcgbG9HP4FOQbcD8vwxQZI5
 r5xbao/09w/EyB/ZHYQWicms5OXzvCJ33CC8DJNB1he2c1dbU6FobtqMpcwconni
 T8U=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=QOTozZ
 +IG0AxfbKU0Ulntp0gJw2+/rXrj4klH5h7DZM=; b=jjUR0kCgIou6hrTs1Exqv1
 qdVy/rTW8vPF5HWTZbK5gHgAB5PxHC9CVqmo/dEdIuOdPvCGW21ssEnn8read5LJ
 AJ9l18c0xSG5RnN8/6h2KLR1dvL7+cCWeRBV500gdOHFLRdpMcy2PyBC+tDZrKP6
 xp3aHRx5z3d/JvnJCCSPIDVMV2bB2IW/6XWk/1q5zKFEqBrbnmFu+ARoQJ7+kff+
 cPyaICp76zGsjEpjuG7GYbAzC6Y1HBiFyXjGIMVFE7Iq4PchKtBcct3DeFLgIgSj
 UPCXIPobEA9R8vyvLQN2WsAcyOcO3PKUt5vPhOvhxmdDkhx6hn1kTkUgmLO9i/Tg
 ==
X-ME-Sender: <xms:jStaYIe2FthNbHgETDKnnFRTEbp2uZ8h_zHcvCCevwyMUQTAf42ZTg>
 <xme:jStaYB1d9zMKW6_ehjsMvi1ZKgah2tqnjsCmq2n1D7RI__zw73T2V20UP36Ccw5qC
 mUxvtZAdiFOk1QJdA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudegiedguddtiecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
 enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtudenucfhrhhomhepnfgvohcu
 hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth
 htvghrnhepgfelhffhjeelfeeuteefhfdtjeeiueduledvvdeitdegudelffefffeiveef
 gfejnecuffhomhgrihhnpeguvggsihgrnhdrohhrghdprhgvughhrghtrdgtohhmpdhgih
 hthhhusgdrtghomhenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgv
 rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrh
 hirdhnrghmvg
X-ME-Proxy: <xmx:jStaYHKuH-nO0fNWWcYjflwU2qptlvl1sVOZAPsqkPbs8qlcxHOVHw>
 <xmx:jStaYIFw3PnhpZLM_xJ2Idl05XFy4srkTizJdH645-tjTecemfNpFA>
 <xmx:jStaYLXqxHlG6Cro6BLPVoVfPOhaBqFGO8_FeHUgiezC63Tsu7FuFA>
 <xmx:jitaYHvfYvc-dB4ZOmlyid7_GDX9zfuRY1vJUGyj4hkvf-lfqcqQHQ>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id 886B2240422;
 Tue, 23 Mar 2021 13:55:25 -0400 (EDT)
Date: Tue, 23 Mar 2021 13:55:23 -0400
From: Leo Famulari <leo@famulari.name>
To: =?iso-8859-1?B?TOlv?= Le Bouter via Bug reports for GNU Guix
 <bug-guix@gnu.org>
Subject: Re: bug#47319: python-lxml is vulnerable to CVE-2021-28957
Message-ID: <YFori3lHDKLjAEyE@jasmine.lan>
References: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="ebP/cDqkhHao4V5E"
Content-Disposition: inline
In-Reply-To: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>
Received-SPF: pass client-ip=66.111.4.28; envelope-from=leo@famulari.name;
 helo=out4-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: 47319@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)


--ebP/cDqkhHao4V5E
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Mar 22, 2021 at 03:09:24PM +0100, L=E9o Le Bouter via Bug reports f=
or GNU Guix wrote:
> CVE-2021-28957	21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.

Thanks for the notification.

I checked on some other distros that, like us, try to avoid major
updates of packages with a lot of dependents:

https://security-tracker.debian.org/tracker/CVE-2021-28957
https://access.redhat.com/security/cve/cve-2021-28957

So, both Debian and Red Hat are still shipping the vulnerable packages.
At least, we are in good company. We would monitor the Debian page and
copy their patch, if they decide to fix the bug.

> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208=
a0d
> ), so we should probably upgrade to that.
>=20
> Has lots of dependents so I suppose it needs grafting? Is that useful
> and does it work for Python packages?

Grafting Python packages is not something we've done in the past, as far
as I can tell from reading the Git log, although I don't recall know if
it works or not.

--ebP/cDqkhHao4V5E
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBaK4sACgkQJkb6MLrK
fwhdMg/9GgzP+0ZAyXvDVEPTqPJthZBfzVvldEWSswoPwb2paSpcfTEKk7WeQxCe
uZdQ073oav+wD8pFXH/vxPKC0sCsIpVTnICz7GfK7j/rMBiJ3KnOzAi9aZNkZlAo
73Rqk4814k+NC4uUBnvI+7661v9mbcDPVeW6vlxRnRp9lMkRQo6ZWsjEVj9BwMyW
NpxsVW73o6At3HkIRHg6XY9Whyfh7zyn2AcoZoV2lUs8xXd6a0W5xVkRfrF6wDXX
aYH4A10995QG1CqJHouiNxmT4uS6NymLMcPj/FSjiib9V61JRyoyf/q6bzFepZ1O
Z3S1ukJdZdiJo3OYpGufm+xjSbabAThFAk+3VufwhuABEfQuhkRFkgqHycenHxcs
Zzf3M1zZaUVxna//Zm6ThFFzE3qXbanWepIUCFpor3ylooEc8h0mNLP2Wy19JDNG
2pBMl+JqBDf8whksFaJMHp3wSG5F1YG3/+mJdjURgTpuimcF6Uz/lKW1ipoagFcF
c+KHjQxLna3VJAglZvaKp8CrTyjfENpLuzR/ssnv7iSuVwb2Bqdd4ds3PgeX7EgU
VjDwpiVF2DvnwoaiiWkXjRI/0pbky4ov2Dn7rCzBwZz254jkA4MTS4/ireJWmpNU
8XbTCjVRYDito5SCULWlzXjIHR2b8XdOsCzMYWrY2gcNEX5nVyQ=
=S52E
-----END PGP SIGNATURE-----

--ebP/cDqkhHao4V5E--




From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 05 19:56:45 2021
Received: (at 47319) by debbugs.gnu.org; 5 Apr 2021 23:56:46 +0000
Received: from localhost ([127.0.0.1]:38871 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lTZ5J-0003Pb-ML
	for submit@debbugs.gnu.org; Mon, 05 Apr 2021 19:56:45 -0400
Received: from world.peace.net ([64.112.178.59]:44268)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@netris.org>) id 1lTZ5I-0003PP-2M
 for 47319@debbugs.gnu.org; Mon, 05 Apr 2021 19:56:44 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@netris.org>)
 id 1lTZ5B-00013W-SD; Mon, 05 Apr 2021 19:56:37 -0400
From: Mark H Weaver <mhw@netris.org>
To: Leo Famulari <leo@famulari.name>, 47319@debbugs.gnu.org
Subject: Re: bug#47319: python-lxml is vulnerable to CVE-2021-28957
In-Reply-To: <YFori3lHDKLjAEyE@jasmine.lan>
References: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>
 <YFori3lHDKLjAEyE@jasmine.lan>
Date: Mon, 05 Apr 2021 19:54:54 -0400
Message-ID: <87wntg5lsm.fsf@netris.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47319
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Leo Famulari <leo@famulari.name> writes:

> On Mon, Mar 22, 2021 at 03:09:24PM +0100, L=C3=A9o Le Bouter via Bug repo=
rts for GNU Guix wrote:
>> Has lots of dependents so I suppose it needs grafting? Is that useful
>> and does it work for Python packages?
>
> Grafting Python packages is not something we've done in the past, as far
> as I can tell from reading the Git log, although I don't recall know if
> it works or not.

I see no reason why grafting a python package wouldn't work, although
admittedly my knowledge of Python is weak.

      Mark




From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 22 22:33:02 2022
Received: (at 47319-done) by debbugs.gnu.org; 23 Mar 2022 02:33:02 +0000
Received: from localhost ([127.0.0.1]:42270 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1nWqo2-0000dV-5y
	for submit@debbugs.gnu.org; Tue, 22 Mar 2022 22:33:02 -0400
Received: from mail-qk1-f175.google.com ([209.85.222.175]:40816)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1nWqo0-0000d9-0P
 for 47319-done@debbugs.gnu.org; Tue, 22 Mar 2022 22:33:00 -0400
Received: by mail-qk1-f175.google.com with SMTP id i65so140835qkd.7
 for <47319-done@debbugs.gnu.org>; Tue, 22 Mar 2022 19:32:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version:content-transfer-encoding;
 bh=hY5mT7VxyRAikqZwaIN9CTYOEbZv4fs9GllZeMWSrNk=;
 b=qbBkxuLR1cDb90fniIInk8/VkeGtg3AfHjIH93TOFWsTeHgUJ1cTkcrFvjzIMmMGCL
 afUZ280tXSTkG3iUMNMZWP2K0HjpIiGgHtdK661zD1YjDqVXuBi1/xDMzbgjsS1J43G+
 nH+oW6ZvLslj2hZIrwOC5ijoQe2oRxiaiTVi8bvkd8HUxV8ymhYZWJLRrbrb07b583Fo
 UK9fOONcgVXLsjQOfC/Gkqf5Mc2ked+hE1B/RY5bdLbJlZe6vibQnE1CkXsz4cvMmWsB
 DkPj5Pvk1ceHpxsW3+Fbf35pkZ37NzmVtBlgKrpihNhBRlyNj+Nzmft88u9V9AA9lbAY
 ZRSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version:content-transfer-encoding;
 bh=hY5mT7VxyRAikqZwaIN9CTYOEbZv4fs9GllZeMWSrNk=;
 b=v6B4o+CtvCiyYQLfXTmJ6mZDV7v/gdqsrcLHYlRJFEKD9NInQjxTU/i1hrGYTYOiEU
 Ov5n9GM5q6miJngy8sBqjPbu+11/uf8FJ4n0tyUjP9WrYOBqq+nlIeXRFsyAxF5kGksQ
 XD70HNi0n2e3d9zjyvAXgarJ9g3Dxjc5DsfOIILPEQxGFEsbH0lgppkBRy/fOj2RjMTU
 SeIesIeqmXoYb+4NumVhgAxH0dxf3NTdWWP5HFI/wSPjYO6ekhdg+DedLYnhuFoW1lVE
 HGAcSj8mhT1SD5fIVZdwANASe/g5iH1lYYdfImBT1tn9PXUUVobDCmH0tZihYY4R0s6g
 PSmA==
X-Gm-Message-State: AOAM530YSTMqfSwutec1rup4dxBYz6dBEbYnWS0B7dj+DlB4fb0TP8Nq
 rJxVH3Ed7P4t4fOgfiHhVrVjhmdkUzk=
X-Google-Smtp-Source: ABdhPJxCRxjmsc4NTZ8ADXUPr1uud/TTZz3d4Wbx1C+WPD0RDeKYnUiC27ZwZoyAR7o0HiP4ZX7qRQ==
X-Received: by 2002:a05:620a:45a6:b0:67d:8bf6:2a49 with SMTP id
 bp38-20020a05620a45a600b0067d8bf62a49mr16789158qkb.161.1648002774408; 
 Tue, 22 Mar 2022 19:32:54 -0700 (PDT)
Received: from hurd (dsl-10-129-199.b2b2c.ca. [72.10.129.199])
 by smtp.gmail.com with ESMTPSA id
 m3-20020a05622a118300b002e1beed4908sm15524278qtk.3.2022.03.22.19.32.53
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 22 Mar 2022 19:32:53 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: =?utf-8?Q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
Subject: Re: bug#47319: python-lxml is vulnerable to CVE-2021-28957
References: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>
Date: Tue, 22 Mar 2022 22:32:52 -0400
In-Reply-To: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>
 (=?utf-8?Q?=22L=C3=A9o?=
 Le Bouter"'s message of "Mon, 22 Mar 2021 15:09:24 +0100")
Message-ID: <874k3p1jqj.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 47319-done
Cc: 47319-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

L=C3=A9o Le Bouter <lle-bout@zaclys.net> writes:

> CVE-2021-28957	21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.
>
> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208=
a0d
> ), so we should probably upgrade to that.

This is the current version in Guix.

Closing; thanks!

Maxim




From unknown Wed Jun 25 10:49:53 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Wed, 20 Apr 2022 11:24:06 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator