Debian Bug report logs -
#892252
python-bleach: CVE-2018-7753: URI values with character entities not properly sanitized
Reported by: Scott Kitterman <debian@kitterman.com>
Date: Wed, 7 Mar 2018 07:12:01 UTC
Severity: important
Tags: security, upstream
Found in version python-bleach/2.1.2-1
Fixed in version python-bleach/2.1.3-1
Done: Scott Kitterman <scott@kitterman.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#892252; Package src:python-bleach.
(Wed, 07 Mar 2018 07:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Scott Kitterman <debian@kitterman.com>:
New Bug report received and forwarded. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Wed, 07 Mar 2018 07:12:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: src:python-bleach
Version: 2.1.2-1
Severity: important
Tags: upstream, security
Version 2.1.3 (March 5th, 2018)
-------------------------------
**Security fixes**
* Attributes that have URI values weren't properly sanitized if the
values contained character entities. Using character entities, it
was possible to construct a URI value with a scheme that was not
allowed that would slide through unsanitized.
This security issue was introduced in Bleach 2.1. Anyone using
Bleach 2.1 is highly encouraged to upgrade.
Message sent on
to Scott Kitterman <debian@kitterman.com>:
Bug#892252.
(Wed, 07 Mar 2018 19:21:08 GMT) (full text, mbox, link).
Message #8 received at 892252-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #892252 in python-bleach reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/python-team/modules/python-bleach/commit/ae078dff09bf9524e08c836b817caf7846a5bc23
------------------------------------------------------------------------
New upstream release (Closes: #892252)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/892252
Added tag(s) pending.
Request was from scott@kitterman.com
to 892252-submitter@bugs.debian.org.
(Wed, 07 Mar 2018 19:21:08 GMT) (full text, mbox, link).
Reply sent
to Scott Kitterman <scott@kitterman.com>:
You have taken responsibility.
(Wed, 07 Mar 2018 19:39:05 GMT) (full text, mbox, link).
Notification sent
to Scott Kitterman <debian@kitterman.com>:
Bug acknowledged by developer.
(Wed, 07 Mar 2018 19:39:05 GMT) (full text, mbox, link).
Message #15 received at 892252-close@bugs.debian.org (full text, mbox, reply):
Source: python-bleach
Source-Version: 2.1.3-1
We believe that the bug you reported is fixed in the latest version of
python-bleach, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 892252@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Kitterman <scott@kitterman.com> (supplier of updated python-bleach package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 07 Mar 2018 14:07:14 -0500
Source: python-bleach
Binary: python-bleach python3-bleach python-bleach-doc
Architecture: source all
Version: 2.1.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Scott Kitterman <scott@kitterman.com>
Description:
python-bleach - whitelist-based HTML-sanitizing library (Python 2)
python-bleach-doc - whitelist-based HTML-sanitizing library (common documentation)
python3-bleach - whitelist-based HTML-sanitizing library (Python 3)
Closes: 892252
Changes:
python-bleach (2.1.3-1) unstable; urgency=high
.
[ Ondřej Nový ]
* d/control: Set Vcs-* to salsa.debian.org
* d/copyright: Use https protocol in Format field
.
[ Scott Kitterman ]
* New upstream release (Closes: #892252)
Checksums-Sha1:
1a60f9aa866bc1ef83406077036df428639bc18d 2624 python-bleach_2.1.3-1.dsc
978e10156c57eb556f9b4c3cd5b1c213e9c41e2c 50496 python-bleach_2.1.3.orig.tar.gz
747c726323e8cf60276980fb0e496954560311ff 3232 python-bleach_2.1.3-1.debian.tar.xz
1fe59e78338bdf5df9c6673cf732b25ec2b4c8a1 56192 python-bleach-doc_2.1.3-1_all.deb
bae2c40a0e49ba60b2e1ea7192b7aebd695e6134 22096 python-bleach_2.1.3-1_all.deb
fecece504f502cae07ff1617129e624904947e13 7920 python-bleach_2.1.3-1_amd64.buildinfo
792c79628b4fb102d10faeb963c7a2a7c270207d 22196 python3-bleach_2.1.3-1_all.deb
Checksums-Sha256:
cd13b632d25f656bf7dc24cc043de88d9af255d00a1c31c3216d08ef3993fd79 2624 python-bleach_2.1.3-1.dsc
2efa88ba7a17032436f1e1d337601a6b6551ed734da21a39a53f5bee543ea2de 50496 python-bleach_2.1.3.orig.tar.gz
1fec610cffa64f6fbf680696d8a0a4b200847f552efc6b2d6262f6e2355474e3 3232 python-bleach_2.1.3-1.debian.tar.xz
911abce1576cbb06899e3c175ad1c7a1b4bf455e14b3ba83355cf061be6a5e8a 56192 python-bleach-doc_2.1.3-1_all.deb
fc7163758c3480333fd4dbd6d849e02c149c497c2605e643a1c71bfb4fc95fc8 22096 python-bleach_2.1.3-1_all.deb
8e054d9218a0624dd1001ee86229f1005116ab6640786c829d6498752c7cad21 7920 python-bleach_2.1.3-1_amd64.buildinfo
8e8f5e77108655d1b511687f50e589519a89943f81cd93cdea58fee3586bd90f 22196 python3-bleach_2.1.3-1_all.deb
Files:
28af1f79c63f7bb399080e9453bb90cd 2624 python optional python-bleach_2.1.3-1.dsc
16c3466551d3a5a369a563b5bca5ee44 50496 python optional python-bleach_2.1.3.orig.tar.gz
abfb339412e9249a77b1fefb0c8e5ca2 3232 python optional python-bleach_2.1.3-1.debian.tar.xz
d9383de580c49571bd56f5b57947e3a8 56192 doc optional python-bleach-doc_2.1.3-1_all.deb
c4aba956290324467429200ee30c250b 22096 python optional python-bleach_2.1.3-1_all.deb
676a843856bd9ca91a3a0b369385b98a 7920 python optional python-bleach_2.1.3-1_amd64.buildinfo
381103e844afc32ddaada6310ec0c1cf 22196 python optional python3-bleach_2.1.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJaoDssAAoJEHjX3vua1ZrxkvQQAKsVwPIsLwlsyysQgOosqwEi
SLaYLC7TqJeDqf2hA61pHB4ys1gFmFQm2hprePMDFJBPcOdzfFaODKzzc3n71IRm
3my6QQSOAM/GPBDZ+O0nBfDkJQBobXNgcr/tf+xkBF7alQSMTs6Zk/syokJtplQq
QiWU3LoPa3mmR/CHU0rW9odUSycu/ROPCNAXzPDSpJ+dvxxgE/RfSEx7BithP2N7
/gkJQ8zzCv2O3SGXtBgj4agRnvfgLS1Q/bjVj8JUujknCB10+2sSouWLFRjcDlZ2
I2IGCciieGnL2rFT7Q4FEX8H88gnJT7l+HIqwW13BSScYw5c6WRzK7wFu2fgwBd8
5tmAhat1qfyh46nXlkrqkn1InvhXPRG2nD5HtiGFIu4+Fiqatequg3Z3PYkE9sv/
1PrfXYFoplnGZ3IHqaODsrikHMH7kppe8tXh5HG/wFMX7X2Jb92HinUlYz7ViOo9
KDrVGiGQ+2k7Brd9XqfEZujes91fgsliFQkl4iWdodagYPkZbX4mdoQS9EaHhLfA
F8DKtZvw8i7WPF0285WvtJzUEmPOm9aBGPJEOiuw6smTMueh62GMMh/r4s9wjEUN
g97RRyuqoxtQOiDIfFyvY1I45mcWpCUnYX+FaA+qMDD+JZYsc5iQNVVhKE2xKqDo
CjLGInegdh4fa/NSD2K7
=WxvH
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#892252; Package src:python-bleach.
(Thu, 08 Mar 2018 05:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Thu, 08 Mar 2018 05:39:03 GMT) (full text, mbox, link).
Message #20 received at 892252@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 python-bleach: CVE-2018-7753: URI values with character entities not properly sanitized
Hi Scott,
On Wed, Mar 07, 2018 at 02:09:14AM -0500, Scott Kitterman wrote:
> Package: src:python-bleach
> Version: 2.1.2-1
> Severity: important
> Tags: upstream, security
>
>
> Version 2.1.3 (March 5th, 2018)
> -------------------------------
>
> **Security fixes**
>
> * Attributes that have URI values weren't properly sanitized if the
> values contained character entities. Using character entities, it
> was possible to construct a URI value with a scheme that was not
> allowed that would slide through unsanitized.
>
> This security issue was introduced in Bleach 2.1. Anyone using
> Bleach 2.1 is highly encouraged to upgrade.
FTR, this issue was assigned CVE-2018-7753 by MITRE.
Regards,
Salvatore
Changed Bug title to 'python-bleach: CVE-2018-7753: URI values with character entities not properly sanitized' from 'src:python-bleach: URI values with character entities not properly sanitized'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 892252-submit@bugs.debian.org.
(Thu, 08 Mar 2018 05:39:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 07 Apr 2018 07:28:01 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:17:22 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon