SecurityHome.eu [USN-8077-1] Bleach vulnerabilities

Home / mailings PDF

[USN-8077-1] Bleach vulnerabilities
Posted on 05 March 2026
Ubuntu Security
==========================================================================Ubuntu Security Notice USN-8077-1
March 05, 2026

python-bleach vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Bleach.

Software Description:
- python-bleach: An allowed-list-based HTML sanitizing library that escapes or strips markup and attributes

Details:

It was discovered that Bleach did not properly sanitize URI attributes
containing character entities. An attacker could possibly use this issue
to construct a URI with a disallowed scheme that would bypass
sanitization, leading to cross-site scripting. This issue only affected
Ubuntu 18.04 LTS. (CVE-2018-7753)

Yaniv Nizry discovered that Bleach was vulnerable to a mutation
cross-site scripting issue when sanitizing HTML with the noscript tag
and a raw tag in the allowed tags list. An attacker could possibly
use this issue to inject malicious content, leading to cross-site
scripting. This issue only affected Ubuntu 18.04 LTS. (CVE-2020-6802)

Yaniv Nizry discovered that Bleach was vulnerable to a mutation
cross-site scripting issue when sanitizing HTML with RCDATA together
with svg or math tags in the allowed tags list. An attacker could
possibly use this issue to inject malicious content, leading to
cross-site scripting. (CVE-2020-6816)

It was discovered that Bleach incorrectly handled parsing of style
attributes when sanitizing HTML. An attacker could possibly use this
issue to perform a regular expression denial of service, leading to
excessive resource consumption. (CVE-2020-6817)

Yaniv Nizry and Michał Bentkowski discovered that Bleach was vulnerable
to a mutation cross-site scripting issue when sanitizing HTML with
certain combinations of allowed tags. An attacker could possibly use
this issue to inject malicious content, leading to cross-site scripting.
(CVE-2021-23980)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
python-bleach-doc 3.1.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-bleach 3.1.1-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
python-bleach 2.1.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
python-bleach-doc 2.1.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-bleach 2.1.2-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
python-bleach 1.4.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
python-bleach-doc 1.4.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-bleach 1.4.2-1ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8077-1
CVE-2018-7753, CVE-2020-6802, CVE-2020-6816, CVE-2020-6817,
CVE-2021-23980

--===============5484051904215270546==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

TOP

Mailings :

Last 20

Exploits :

Last 20