Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 777579 (CVE-2021-28957) - <dev-python/lxml-4.6.3: JavaScript passthrough in HTML cleaner (CVE-2021-28957)
Summary: <dev-python/lxml-4.6.3: JavaScript passthrough in HTML cleaner (CVE-2021-28957)
Status: IN_PROGRESS
Alias: CVE-2021-28957
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-21 19:51 UTC by Michał Górny
Modified: 2021-07-29 18:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-03-21 19:51:45 UTC
+4.6.3 (2021-03-21)
+==================
+
+Bugs fixed
+----------
+
+* A vulnerability (CVE-2021-28957) was discovered in the HTML Cleaner by Kevin Chung,
+  which allowed JavaScript to pass through.  The cleaner now removes the HTML5
+  ``formaction`` attribute.
Comment 1 NATTkA bot gentoo-dev 2021-03-21 19:52:53 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-03-21 20:08:53 UTC Comment hidden (obsolete)
Comment 3 Sam James archtester gentoo-dev Security 2021-03-24 19:42:54 UTC
sparc done
Comment 4 Rolf Eike Beer archtester 2021-03-25 06:41:07 UTC
hppa stable
Comment 5 Agostino Sarubbo gentoo-dev 2021-03-25 18:13:09 UTC
x86 stable
Comment 6 Sam James archtester gentoo-dev Security 2021-03-25 23:12:55 UTC
amd64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-03-25 23:17:50 UTC
ppc done
Comment 8 Sam James archtester gentoo-dev Security 2021-03-25 23:18:42 UTC
ppc64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-03-26 00:22:17 UTC
arm64 done
Comment 10 Agostino Sarubbo gentoo-dev 2021-03-26 11:51:07 UTC
s390 stable
Comment 11 Sam James archtester gentoo-dev Security 2021-03-27 16:05:02 UTC
arm done

all arches done
Comment 12 John Helmert III gentoo-dev Security 2021-03-27 17:01:09 UTC
Please cleanup
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:23:37 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 17:32:01 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 17:39:54 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2021-07-29 17:48:06 UTC Comment hidden (obsolete)
Comment 17 NATTkA bot gentoo-dev 2021-07-29 18:04:01 UTC Comment hidden (obsolete)
Comment 18 NATTkA bot gentoo-dev 2021-07-29 18:12:20 UTC
Package list is empty or all packages have requested keywords.