On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote: > CVE-2021-28957 21.03.21 06:15 > lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in > html/defs.py) for later use in input sanitization, but does not do the > same for the HTML5 formaction attribute.
Thanks for the notification. I checked on some other distros that, like us, try to avoid major updates of packages with a lot of dependents: https://security-tracker.debian.org/tracker/CVE-2021-28957 https://access.redhat.com/security/cve/cve-2021-28957 So, both Debian and Red Hat are still shipping the vulnerable packages. At least, we are in good company. We would monitor the Debian page and copy their patch, if they decide to fix the bug. > Upstream fixed it in 4.6.3 ( > https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d > ), so we should probably upgrade to that. > > Has lots of dependents so I suppose it needs grafting? Is that useful > and does it work for Python packages? Grafting Python packages is not something we've done in the past, as far as I can tell from reading the Git log, although I don't recall know if it works or not.
signature.asc
Description: PGP signature
