Ubuntu alert USN-8077-1 (python-bleach)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-8077-1] Bleach vulnerabilities | |
| Date: | Thu, 05 Mar 2026 18:17:22 +0000 | |
| Message-ID: | <E1vyDGE-0004Hm-TH@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-8077-1 March 05, 2026 python-bleach vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Bleach. Software Description: - python-bleach: An allowed-list-based HTML sanitizing library that escapes or strips markup and attributes Details: It was discovered that Bleach did not properly sanitize URI attributes containing character entities. An attacker could possibly use this issue to construct a URI with a disallowed scheme that would bypass sanitization, leading to cross-site scripting. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-7753) Yaniv Nizry discovered that Bleach was vulnerable to a mutation cross-site scripting issue when sanitizing HTML with the noscript tag and a raw tag in the allowed tags list. An attacker could possibly use this issue to inject malicious content, leading to cross-site scripting. This issue only affected Ubuntu 18.04 LTS. (CVE-2020-6802) Yaniv Nizry discovered that Bleach was vulnerable to a mutation cross-site scripting issue when sanitizing HTML with RCDATA together with svg or math tags in the allowed tags list. An attacker could possibly use this issue to inject malicious content, leading to cross-site scripting. (CVE-2020-6816) It was discovered that Bleach incorrectly handled parsing of style attributes when sanitizing HTML. An attacker could possibly use this issue to perform a regular expression denial of service, leading to excessive resource consumption. (CVE-2020-6817) Yaniv Nizry and MichaĆ Bentkowski discovered that Bleach was vulnerable to a mutation cross-site scripting issue when sanitizing HTML with certain combinations of allowed tags. An attacker could possibly use this issue to inject malicious content, leading to cross-site scripting. (CVE-2021-23980) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS python-bleach-doc 3.1.1-1ubuntu0.1~esm1 Available with Ubuntu Pro python3-bleach 3.1.1-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS python-bleach 2.1.2-1ubuntu0.1~esm1 Available with Ubuntu Pro python-bleach-doc 2.1.2-1ubuntu0.1~esm1 Available with Ubuntu Pro python3-bleach 2.1.2-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS python-bleach 1.4.2-1ubuntu0.1~esm1 Available with Ubuntu Pro python-bleach-doc 1.4.2-1ubuntu0.1~esm1 Available with Ubuntu Pro python3-bleach 1.4.2-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8077-1 CVE-2018-7753, CVE-2020-6802, CVE-2020-6816, CVE-2020-6817, CVE-2021-23980
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmmpx2IACgkQcpJm3tlz hgF6rA//bkfP5jZ9M9IuRGN20aaam9K6vOmhCKqZGWCPwAEzsA293eB02mvxdfYr 7xH2aAqNlDoSjp0x0mxqNczIcY7yy4fPx2ZG4s1q+BZWuuQ2zoRkNgABDfP2BIgh K6C4nJvpbixzYrak98OympzyvoRQI3euDO6KRbwdusZiob3V52Zxpfgw9c2Ltt5g tVGD75DMYSWq6LhESONZRcCmXufHgwpMEHAEhENGUnZN2bUqtcoEW3ynC2de/IrQ t2QfE71ccfOikjwPVI7SkLRMtwv08k2uuwfKEjLOf9CCSFMCMnpfG5anNnDXKPhy oP1dGQdY+v0yN88yBQzJME1kmcifCHjOXeCJ+zYOmtuPyWagRXEfP7MDgkMAwVv2 C+OkCGJ9tcijePxhH3qU6chtaB7+7Ea2VBqcouOnw9sy6ovR4yslrF/QTNS6BlH0 McS6K7mLKDoRNLMt5iz3o+4mRHN93lw8RdhhAuXoWRAWJfq4TXGODLUsAYs5E3my kxw+gXG+RrWagvIvTmvzgKSQu7LmojAG2dday9WMzfotPJWT9KfLYim/wACvn1i7 /ZdLvlhBhkafPykqraQmDIWNZtTQOuepIBQJcASvbiTRr4Y7hhzrjZLOblcjgTNy 8kdSDMspjhzobueUWB0jGqSLOvqIJwO3DylM1f9Wc8MTK1nbhH0= =kT/a -----END PGP SIGNATURE-----