GNU bug report logs -
#47319
python-lxml is vulnerable to CVE-2021-28957
Previous Next
Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>
Date: Mon, 22 Mar 2021 14:10:02 UTC
Severity: normal
Tags: security
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-28957 21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.
Thanks for the notification.
I checked on some other distros that, like us, try to avoid major
updates of packages with a lot of dependents:
https://security-tracker.debian.org/tracker/CVE-2021-28957
https://access.redhat.com/security/cve/cve-2021-28957
So, both Debian and Red Hat are still shipping the vulnerable packages.
At least, we are in good company. We would monitor the Debian page and
copy their patch, if they decide to fix the bug.
> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.
>
> Has lots of dependents so I suppose it needs grafting? Is that useful
> and does it work for Python packages?
Grafting Python packages is not something we've done in the past, as far
as I can tell from reading the Git log, although I don't recall know if
it works or not.
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 67 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.