Version in base suite: 3.1.0-1

Base version: python-bleach_3.1.0-1
Target version: python-bleach_3.1.1-0+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-bleach/python-bleach_3.1.0-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-bleach/python-bleach_3.1.1-0+deb10u1.dsc

 CHANGES                 |   37 ++++++++++++++++++++++++++++++++++++-
 bleach/__init__.py      |    4 ++--
 bleach/html5lib_shim.py |    7 ++++++-
 debian/changelog        |    7 +++++++
 debian/gbp.conf         |    2 +-
 tests/test_clean.py     |   28 ++++++++++++++++++++++++++++
 6 files changed, 80 insertions(+), 5 deletions(-)

diff -Nru python-bleach-3.1.0/CHANGES python-bleach-3.1.1/CHANGES
--- python-bleach-3.1.0/CHANGES	2019-01-09 15:09:26.000000000 +0000
+++ python-bleach-3.1.1/CHANGES	2020-02-19 17:34:12.000000000 +0000
@@ -1,6 +1,41 @@
 Bleach changes
 ==============
 
+Version 3.1.1 (February 13th, 2020)
+-----------------------------------
+
+**Security fixes**
+
+* ``bleach.clean`` behavior parsing ``noscript`` tags did not match
+  browser behavior.
+
+  Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
+  the raw text tags (``title``, ``textarea``, ``script``, ``style``,
+  ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
+  to a mutation XSS.
+
+  This security issue was confirmed in Bleach versions v2.1.4, v3.0.2,
+  and v3.1.0. Earlier versions are probably affected too.
+
+  Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.
+
+  https://bugzilla.mozilla.org/show_bug.cgi?id=1615315
+
+**Backwards incompatible changes**
+
+None
+
+**Features**
+
+None
+
+**Bug fixes**
+
+None
+
+Bleach changes
+==============
+
 Version 3.1.0 (January 9th, 2019)
 ---------------------------------
 
@@ -76,7 +111,7 @@
 
 * Fix ``list`` object has no attribute ``lower`` in ``clean``. (#398)
 * Fix ``abbr`` getting escaped in ``linkify``. (#400)
- 
+
 
 Version 3.0.0 (October 3rd, 2018)
 ---------------------------------
diff -Nru python-bleach-3.1.0/bleach/__init__.py python-bleach-3.1.1/bleach/__init__.py
--- python-bleach-3.1.0/bleach/__init__.py	2019-01-09 15:09:26.000000000 +0000
+++ python-bleach-3.1.1/bleach/__init__.py	2020-02-19 17:34:12.000000000 +0000
@@ -18,9 +18,9 @@
 
 
 # yyyymmdd
-__releasedate__ = '20190109'
+__releasedate__ = '20200213'
 # x.y.z or x.y.z.dev0 -- semver
-__version__ = '3.1.0'
+__version__ = '3.1.1'
 VERSION = parse_version(__version__)
 
 
diff -Nru python-bleach-3.1.0/bleach/html5lib_shim.py python-bleach-3.1.1/bleach/html5lib_shim.py
--- python-bleach-3.1.0/bleach/html5lib_shim.py	2019-01-09 15:09:26.000000000 +0000
+++ python-bleach-3.1.1/bleach/html5lib_shim.py	2020-02-19 17:34:12.000000000 +0000
@@ -376,7 +376,12 @@
         self.consume_entities = consume_entities
         super(BleachHTMLParser, self).__init__(**kwargs)
 
-    def _parse(self, stream, innerHTML=False, container='div', scripting=False, **kwargs):
+    def _parse(self, stream, innerHTML=False, container='div', scripting=True, **kwargs):
+        # set scripting=True to parse <noscript> as though JS is enabled to
+        # match the expected context in browsers
+        #
+        # https://html.spec.whatwg.org/multipage/scripting.html#the-noscript-element
+        #
         # Override HTMLParser so we can swap out the tokenizer for our own.
         self.innerHTMLMode = innerHTML
         self.container = container
diff -Nru python-bleach-3.1.0/debian/changelog python-bleach-3.1.1/debian/changelog
--- python-bleach-3.1.0/debian/changelog	2019-01-15 05:46:11.000000000 +0000
+++ python-bleach-3.1.1/debian/changelog	2020-02-27 10:53:52.000000000 +0000
@@ -1,3 +1,10 @@
+python-bleach (3.1.1-0+deb10u1) buster-security; urgency=high
+
+  * New upstream security release (Closes: #951907)
+    - Addresses CVE-2020-6802
+
+ -- Scott Kitterman <scott@kitterman.com>  Thu, 27 Feb 2020 05:53:52 -0500
+
 python-bleach (3.1.0-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru python-bleach-3.1.0/debian/gbp.conf python-bleach-3.1.1/debian/gbp.conf
--- python-bleach-3.1.0/debian/gbp.conf	2018-01-10 00:44:47.000000000 +0000
+++ python-bleach-3.1.1/debian/gbp.conf	2020-02-23 00:06:54.000000000 +0000
@@ -1,2 +1,2 @@
 [DEFAULT]
-debian-branch=debian/master
+debian-branch=debian/buster
diff -Nru python-bleach-3.1.0/tests/test_clean.py python-bleach-3.1.1/tests/test_clean.py
--- python-bleach-3.1.0/tests/test_clean.py	2019-01-09 15:09:26.000000000 +0000
+++ python-bleach-3.1.1/tests/test_clean.py	2020-02-19 17:34:12.000000000 +0000
@@ -769,6 +769,34 @@
     assert clean('<d {c}>') == '&lt;d {c}&gt;'
 
 
+# tags that get content passed through (i.e. parsed with parseRCDataRawtext)
+_raw_tags = [
+    "title",
+    "textarea",
+    "script",
+    "style",
+    "noembed",
+    "noframes",
+    "iframe",
+    "xmp",
+]
+
+@pytest.mark.parametrize(
+    "raw_tag, data, expected",
+    [
+        (
+            raw_tag,
+            "<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag,
+            "<noscript><%s></noscript>&lt;img src=x onerror=alert(1) /&gt;" % raw_tag,
+        )
+        for raw_tag in _raw_tags
+    ],
+)
+def test_noscript_rawtag_(raw_tag, data, expected):
+    # refs: bug 1615315 / GHSA-q65m-pv3f-wr5r
+    assert clean(data, tags=["noscript", raw_tag]) == expected
+
+
 def get_ids_and_tests():
     """Retrieves regression tests from data/ directory