GNU bug report logs - #47319
python-lxml is vulnerable to CVE-2021-28957

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Mon, 22 Mar 2021 14:10:02 UTC

Severity: normal

Tags: security

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#47319: closed (python-lxml is vulnerable to CVE-2021-28957)
Date: Wed, 23 Mar 2022 02:34:02 +0000

[Message part 1 (text/plain, inline)]
Your message dated Tue, 22 Mar 2022 22:32:52 -0400
with message-id <874k3p1jqj.fsf <at> gmail.com>
and subject line Re: bug#47319: python-lxml is vulnerable to CVE-2021-28957
has caused the debbugs.gnu.org bug report #47319,
regarding python-lxml is vulnerable to CVE-2021-28957
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
47319: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=47319
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: python-lxml is vulnerable to CVE-2021-28957
Date: Mon, 22 Mar 2021 15:09:24 +0100

[Message part 3 (text/plain, inline)]
CVE-2021-28957	21.03.21 06:15
lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
html/defs.py) for later use in input sanitization, but does not do the
same for the HTML5 formaction attribute.

Upstream fixed it in 4.6.3 (
https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
), so we should probably upgrade to that.

Has lots of dependents so I suppose it needs grafting? Is that useful
and does it work for Python packages?

Léo

[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Léo Le Bouter <lle-bout <at> zaclys.net>
Cc: 47319-done <at> debbugs.gnu.org
Subject: Re: bug#47319: python-lxml is vulnerable to CVE-2021-28957
Date: Tue, 22 Mar 2022 22:32:52 -0400

Hi,

Léo Le Bouter <lle-bout <at> zaclys.net> writes:

> CVE-2021-28957	21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.
>
> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.

This is the current version in Guix.

Closing; thanks!

Maxim
This bug report was last modified 3 years and 67 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.