python-bleach (2.1.2-1ubuntu0.1~esm1) bionic-security; urgency=medium

  * SECURITY UPDATE: XSS via unsanitized URI attributes when character entities
    obfuscate a disallowed scheme
    - debian/patches/CVE-2018-7753.patch: Enforce URI protocol validation after
      entity decoding in bleach/sanitizer.py
    - CVE-2018-7753
  * SECURITY UPDATE: Mutation XSS when <noscript> is whitelisted and parsed in
    a non-browser scripting context
    - debian/patches/CVE-2020-6802.patch: Ensure <noscript> is parsed with
      scripting enabled to match browser behavior in bleach/sanitizer.py
    - CVE-2020-6802
  * SECURITY UPDATE: Mutation XSS when RCDATA and svg/math are whitelisted with
    strip=False
    - debian/patches/CVE-2020-6816.patch: Enforce RCDATA escaping during
      serialization in bleach/sanitizer.py
    - CVE-2020-6816
  * SECURITY UPDATE: ReDoS in style sanitization when style is allowed on a
    whitelisted tag
    - debian/patches/CVE-2020-6817.patch: Tighten and make the CSS gauntlet
      regex verbose to reduce backtracking in bleach/sanitizer.py
    - CVE-2020-6817
  * SECURITY UPDATE: Mutation XSS when svg/math plus eject tags are whitelisted
    and HTML comments are preserved
    - debian/patches/CVE-2021-23980-1.patch: Escape HTML comment token content
      when comments are not stripped in bleach/sanitizer.py
    - debian/patches/CVE-2021-23980-2.patch: Expand eject-tag mutation XSS
      coverage with additional parametrized tests in tests/test_clean.py
    - CVE-2021-23980

 -- Shafayat Hossain Majumder <shafayat.majumder@canonical.com>  Tue, 03 Mar 2026 12:23:34 -0500

python-bleach (2.1.2-1) unstable; urgency=medium

  * New upstream release
  * Bump standards-version to 4.1.3 without further change
  * Bump minimum debhelper version to 9 to match compat

 -- Scott Kitterman <scott@kitterman.com>  Tue, 09 Jan 2018 23:32:15 -0500

python-bleach (2.0-1) unstable; urgency=medium

  * New upstream release (Closes: #844943)
    - Update minimum htmlib5 version requirement
    - Update debian/copyright
    - Drop override of dh_auto_test and add pytest/3 and pytest/3-runner to
      build-depends so tests still run
    - Drop obsolete build-depends on python/3-nose
  * Agreed maintainer change to DPMT
    - Updated Vcs-* fields in debian/control

 -- Scott Kitterman <scott@kitterman.com>  Fri, 10 Mar 2017 14:08:47 -0500

python-bleach (1.4.2-1) unstable; urgency=low

  [ Per Andersson ]
  * Bump debhelper compat level to 9 (level 8 is required in Build-Depends).
  * Add extend-diff-ignore for egg.info in debian/source/options.
  * d/watch: Use github.com, githubredir is deprecated.
  * Use my @debian.org address.
  * Use HTTPS protocol for Homepage and Vcs-* fields.

  [ Christopher Baines ]
  * New upstream release.
    - Includes fix upstream fix for #798441 (Closes: #798441).
  * Up standards version to 3.9.6, no changes required.

 -- Per Andersson <avtobiff@debian.org>  Mon, 22 Feb 2016 20:38:36 +0100

python-bleach (1.4-1) unstable; urgency=low

  * New upstream release
    - License changed to Apache License 2.0
    - Add python*-six to Build-Dependends
  * Shipping both python2 and python3 packages
    - Add python3-html5lib to Build-Dependends
  * Running tests during build
    - Add python*-nose Build-Dependends
  * Packaging license changed to Apache License 2.0
  * Bumped Standards-Version to 3.9.5, no changes needed
  * Add common doc package
    - Binary packages suggests this package
    - Add python*-sphinx to Build-Depends

 -- Per Andersson <avtobiff@gmail.com>  Fri, 14 Feb 2014 00:59:20 +0100

python-bleach (1.2.2-1) unstable; urgency=low

  * Initial release (Closes: #686902)

 -- Per Andersson <avtobiff@gmail.com>  Sun, 09 Jun 2013 19:46:56 +0200
