| Name | CVE-2024-34078 |
| Description | html-sanitizer is an allowlist-based HTML cleaner. If using `keep_typographic_whitespace=False` (which is the default), the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has been fixed in 2.4.2. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3856-1 |
| Debian Bugs | 1070710 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| python-html-sanitizer (PTS) | bullseye | 1.9.1-2 | vulnerable |
| bullseye (security) | 1.9.1-2+deb11u1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| python-html-sanitizer | source | bullseye | 1.9.1-2+deb11u1 | DLA-3856-1 | ||
| python-html-sanitizer | source | (unstable) | (unfixed) | 1070710 |
https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3
https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550 (2.4.2)