Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 757117 (CVE-2020-27783) - <dev-python/lxml-4.6.2: HTML Cleaner JavaScript pass-through (CVE-2020-27783)
Summary: <dev-python/lxml-4.6.2: HTML Cleaner JavaScript pass-through (CVE-2020-27783)
Status: RESOLVED FIXED
Alias: CVE-2020-27783
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-27 08:48 UTC by Michał Górny
Modified: 2020-12-27 09:20 UTC (History)
1 user (show)

See Also:
Package list:
dev-python/lxml-4.6.2
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-11-27 08:48:01 UTC
+4.6.2 (2020-11-26)
+==================
+
+Bugs fixed
+----------
+
+* A vulnerability (CVE-2020-27783) was discovered in the HTML Cleaner by Yaniv Nizry,
+  which allowed JavaScript to pass through.  The cleaner now removes more sneaky
+  "style" content.
Comment 1 NATTkA bot gentoo-dev 2020-11-27 08:48:48 UTC
Unable to check for sanity:

> no match for package: dev-python/lxml-4.6.2
Comment 2 NATTkA bot gentoo-dev 2020-11-27 09:24:49 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-11-27 16:50:23 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-11-29 08:17:35 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-11-29 08:21:03 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-11-29 08:23:04 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-11-29 08:24:14 UTC
s390 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-11-29 08:25:48 UTC
sparc stable
Comment 9 Sam James archtester gentoo-dev Security 2020-12-02 10:23:11 UTC
arm64 done
Comment 10 Sam James archtester gentoo-dev Security 2020-12-02 22:57:54 UTC
arm done
Comment 11 Rolf Eike Beer archtester 2020-12-12 21:38:04 UTC
hppa stable
Comment 12 John Helmert III gentoo-dev Security 2020-12-12 21:41:16 UTC
Maintainer, please cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2020-12-27 09:16:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50852dfbad64cb3248a2e480eff723ae2c3ea680

commit 50852dfbad64cb3248a2e480eff723ae2c3ea680
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-12-27 09:15:46 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-12-27 09:16:21 +0000

    dev-python/lxml: Remove old
    
    Bug: https://bugs.gentoo.org/757117
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/lxml/Manifest          |  1 -
 dev-python/lxml/lxml-4.6.1.ebuild | 81 ---------------------------------------
 2 files changed, 82 deletions(-)
Comment 14 John Helmert III gentoo-dev Security 2020-12-27 09:20:26 UTC
Tree is clean, all done!