Packages
- python-bleach - An allowed-list-based HTML sanitizing library that escapes or strips markup and attributes
Details
It was discovered that Bleach did not properly sanitize URI attributes
containing character entities. An attacker could possibly use this issue
to construct a URI with a disallowed scheme that would bypass
sanitization, leading to cross-site scripting. This issue only affected
Ubuntu 18.04 LTS. (CVE-2018-7753)
Yaniv Nizry discovered that Bleach was vulnerable to a mutation
cross-site scripting issue when sanitizing HTML with the noscript tag
and a raw tag in the allowed tags list. An attacker could possibly
use this issue to inject malicious content, leading to cross-site
scripting. This issue only affected Ubuntu 18.04 LTS. (CVE-2020-6802)
Yaniv Nizry discovered that Bleach was vulnerable to a mutation
cross-site scripting issue when sanitizing HTML with RCDATA together
with svg or math tags in the allowed tags list. An attacker could
possibly...
It was discovered that Bleach did not properly sanitize URI attributes
containing character entities. An attacker could possibly use this issue
to construct a URI with a disallowed scheme that would bypass
sanitization, leading to cross-site scripting. This issue only affected
Ubuntu 18.04 LTS. (CVE-2018-7753)
Yaniv Nizry discovered that Bleach was vulnerable to a mutation
cross-site scripting issue when sanitizing HTML with the noscript tag
and a raw tag in the allowed tags list. An attacker could possibly
use this issue to inject malicious content, leading to cross-site
scripting. This issue only affected Ubuntu 18.04 LTS. (CVE-2020-6802)
Yaniv Nizry discovered that Bleach was vulnerable to a mutation
cross-site scripting issue when sanitizing HTML with RCDATA together
with svg or math tags in the allowed tags list. An attacker could
possibly use this issue to inject malicious content, leading to
cross-site scripting. (CVE-2020-6816)
It was discovered that Bleach incorrectly handled parsing of style
attributes when sanitizing HTML. An attacker could possibly use this
issue to perform a regular expression denial of service, leading to
excessive resource consumption. (CVE-2020-6817)
Yaniv Nizry and MichaĆ Bentkowski discovered that Bleach was vulnerable
to a mutation cross-site scripting issue when sanitizing HTML with
certain combinations of allowed tags. An attacker could possibly use
this issue to inject malicious content, leading to cross-site scripting.
(CVE-2021-23980)
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 20.04 LTS focal | python-bleach-doc – 3.1.1-1ubuntu0.1~esm1 | ||
| python3-bleach – 3.1.1-1ubuntu0.1~esm1 | |||
| 18.04 LTS bionic | python-bleach – 2.1.2-1ubuntu0.1~esm1 | ||
| python-bleach-doc – 2.1.2-1ubuntu0.1~esm1 | |||
| python3-bleach – 2.1.2-1ubuntu0.1~esm1 | |||
| 16.04 LTS xenial | python-bleach – 1.4.2-1ubuntu0.1~esm1 | ||
| python-bleach-doc – 1.4.2-1ubuntu0.1~esm1 | |||
| python3-bleach – 1.4.2-1ubuntu0.1~esm1 | |||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.