Bug#952656: how to reproduce in docker

2020-02-27 Thread Paolo Greppi 
1. hanging:

docker run --rm -it debian:buster-slim /bin/bash
apt update 
apt install -y --no-install-recommends yarnpkg
yarnpkg add --verbose highlight.js

output:

yarn add v1.13.0
verbose 0.668 Checking for configuration file "/.npmrc".
verbose 0.668 Checking for configuration file "/usr/local/share/.npmrc".
verbose 0.669 Checking for configuration file "/usr/etc/npmrc".
verbose 0.669 Checking for configuration file "/root/.npmrc".
verbose 0.669 Checking for configuration file "/.npmrc".
verbose 0.67 Checking for configuration file "/.yarnrc".
verbose 0.67 Checking for configuration file "/usr/local/share/.yarnrc".
verbose 0.671 Checking for configuration file "/usr/etc/yarnrc".
verbose 0.671 Checking for configuration file "/root/.yarnrc".
verbose 0.671 Checking for configuration file "/.yarnrc".
verbose 0.675 current time: 2020-02-27T07:30:32.620Z
info No lockfile found.
verbose 0.805 Performing "GET" request to "https://yarnpkg.com/latest-version;.
[1/4] Resolving packages...
verbose 1.088 Performing "GET" request to 
"https://registry.yarnpkg.com/highlight.js;.
⠂ highlight.js

[hangs]

2. crashing:

docker run --rm -it debian:buster-slim /bin/bash
apt update 
apt install -y --no-install-recommends yarnpkg
cat > package.json
{
  "dependencies": {
"highlight.js": "^9.18.1"
  }
}
^d
cat > yarn.lock
highlight.js@^9.18.1:
  version "9.18.1"
  resolved 
"https://registry.yarnpkg.com/highlight.js/-/highlight.js-9.18.1.tgz#ed21aa001fe6252bb10a3d76d47573c6539fe13c;
  integrity 
sha512-OrVKYz70LHsnCgmbXctv/bfuvntIKDz177h0Co37DQ5jamGZLVmoCVMtjMtNZY3X9DrCcKfklHPNeA0uPZhSJg==
^d
yarnpkg install --verbose

output:

yarn install v1.13.0
warning package.json: No license field
verbose 0.616 Checking for configuration file "/.npmrc".
verbose 0.617 Checking for configuration file "/usr/local/share/.npmrc".
verbose 0.617 Checking for configuration file "/usr/etc/npmrc".
verbose 0.617 Checking for configuration file "/root/.npmrc".
verbose 0.618 Checking for configuration file "/.npmrc".
verbose 0.618 Checking for configuration file "/.yarnrc".
verbose 0.619 Checking for configuration file "/usr/local/share/.yarnrc".
verbose 0.619 Checking for configuration file "/usr/etc/yarnrc".
verbose 0.619 Checking for configuration file "/root/.yarnrc".
verbose 0.619 Checking for configuration file "/.yarnrc".
verbose 0.624 current time: 2020-02-27T07:40:15.667Z
verbose 0.723 Performing "GET" request to "https://yarnpkg.com/latest-version;.
warning No license field
[1/4] Resolving packages...
[2/4] Fetching packages...
verbose 0.997 Performing "GET" request to 
"https://registry.yarnpkg.com/highlight.js/-/highlight.js-9.18.1.tgz;.

also, the error is not reported: echo $? returns: 0

P.

Bug#952572: procps: move binaries back to /bin

2020-02-27 Thread Craig Small 
On Thu, 27 Feb. 2020, 4:51 pm Paul Wise,  wrote:

>
> Another option would be a compat symlink.
>

I did think of that but then you have to conditionally put a symlink in
when there isn't the /bin directory link or maybe usrmerge there doing it's
thing or perhaps there is some third thing that does this linking I didn't
know about.

So it was just easier to put the binaries back to  /bin. I don't personally
run any unmerged systems so it is hard to test and keep resting.

If someone comes up with a install time helper that does this conditional
moving then I'll use that.

 - Craig

Bug#952667: fscrypt: Please package fscrypt 2.6, it has a new policy that is said to be much better

2020-02-27 Thread valette 
Source: fscrypt
Version: 0.2.5-2
Severity: wishlist

Discussing bugs, I have been told to use the new version to reproduce and if
possible to move to the new policy that is said to be much more robust.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.22 (SMP w/2 CPU cores; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=fr_FR.UTF8, LC_CTYPE=fr_FR.UTF8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Bug#952639: src:budgie-desktop: Compile using mutter-6

2020-02-27 Thread David Mohammed 
ah  - I see its in the new queue.  I'll have to wait until the
archive-admins have accepted it so that I can test build followed by
an upload.

On Wed, 26 Feb 2020 at 18:50, Marco Trevisan  wrote:
>
> Il 26/02/20 19:13, David Mohammed ha scritto:
> > Thx. Has mutter 6 been uploaded yet? If so... experimental or unstable?
>
> Yes, it's in experimental so far.
>
> mutter (3.35.91-1) experimental

Bug#952666: pure-ftpd: CVE-2020-9274

2020-02-27 Thread Salvatore Bonaccorso 
Source: pure-ftpd
Version: 1.0.49-3
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for pure-ftpd.

CVE-2020-9274[0]:
| An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer
| vulnerability has been detected in the diraliases linked list. When
| the *lookup_alias(const char alias) or print_aliases(void) function is
| called, they fail to correctly detect the end of the linked list and
| try to access a non-existent list member. This is related to
| init_aliases in diraliases.c.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-9274
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9274
[1] 
https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#888705: abseil-cpp packaging

2020-02-27 Thread Olaf van der Spek 
Op do 27 feb. 2020 om 06:54 schreef László Böszörményi :
>  Are you going to rename it to abseil-cpp (as Google has abseil-python
> as well, make a disparity between the two)?

Python libraries use a "python3-" prefix while C/C++ libraries use a
"lib" prefix, so I don't think it makes sense to change the name.

Bug#952665: debian-edu-config: Don't do unnecessary wget to the internet

2020-02-27 Thread Petter Reinholdtsen 
[Mike Gabriel]
> The dc=skole object in LDAP can reference a Firefox/Chromium default  
> homepage in its labeledURI field. If this URI points to some school  
> homepage on the internet, we observe bad system logon performance in  
> computer labs.

If you place (

Bug#952656: related upstream bug + behavior of upstream-provided package

2020-02-27 Thread Paolo Greppi 
see: https://github.com/yarnpkg/yarn/issues/1390

upstream-provided package correctly reports the error:

docker run --rm -it debian:buster-slim /bin/bash

apt update && apt install -y curl gnupg2
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee 
/etc/apt/sources.list.d/yarn.list
apt update && apt install -y yarn
apt remove ca-certificates
cat > package.json
{
  "dependencies": {
"highlight.js": "^9.18.1"
  }
}
^d
cat > yarn.lock
highlight.js@^9.18.1:
  version "9.18.1"
  resolved 
"https://registry.yarnpkg.com/highlight.js/-/highlight.js-9.18.1.tgz#ed21aa001fe6252bb10a3d76d47573c6539fe13c;
  integrity 
sha512-OrVKYz70LHsnCgmbXctv/bfuvntIKDz177h0Co37DQ5jamGZLVmoCVMtjMtNZY3X9DrCcKfklHPNeA0uPZhSJg==
^d
yarn install --verbose
yarn install v1.22.0
warning package.json: No license field
verbose 0.77 Checking for configuration file "/.npmrc".
verbose 0.77 Checking for configuration file "/usr/local/share/.npmrc".
verbose 0.771 Checking for configuration file "/usr/etc/npmrc".
verbose 0.771 Checking for configuration file "/root/.npmrc".
verbose 0.771 Checking for configuration file "/.npmrc".
verbose 0.772 Checking for configuration file "/.yarnrc".
verbose 0.772 Checking for configuration file "/usr/local/share/.yarnrc".
verbose 0.773 Checking for configuration file "/usr/etc/yarnrc".
verbose 0.773 Checking for configuration file "/root/.yarnrc".
verbose 0.773 Checking for configuration file "/.yarnrc".
verbose 0.777 current time: 2020-02-27T08:00:59.988Z
verbose 0.813 Performing "GET" request to "https://yarnpkg.com/latest-version;.
warning No license field
[1/4] Resolving packages...
[2/4] Fetching packages...
verbose 0.877 Performing "GET" request to 
"https://registry.yarnpkg.com/highlight.js/-/highlight.js-9.18.1.tgz;.
verbose 0.968 Error: unable to get local issuer certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1055:34)
at TLSSocket.emit (events.js:189:13)
at TLSSocket._finishInit (_tls_wrap.js:633:8)
error An unexpected error occurred: 
"https://registry.yarnpkg.com/highlight.js/-/highlight.js-9.18.1.tgz: unable to 
get local issuer certificate".
info If you think this is a bug, please open a bug report with the information 
provided in "/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this 
command.

so there is something wrong with our package

P.

Bug#952676: Add autopkg tests to WolfSSL

2020-02-27 Thread Otto Kekäläinen 
Package: wolfssl
Priority: wishlist

Hello!

It would be nice if the package had tests. Currently it seems to build
on all platforms, but we cannot be sure that it actually _runs_ on all
platforms. I am currently looking into an issue where  MariaDB with
WolfSSL builds on s390x but the binary immediately crashes when run.
This case encouraged me to file this issue.

The autopkg test could build some dummy small package that simply
calls something trivial in the libwolfssl ABI just to see that it
actually runs and not crashes due to platform-incompatibility issues.

Bug#937253: pbbarcode: Python2 removal in sid/bullseye

2020-02-27 Thread Andreas Tille 
Control: tags -1 pending
Control: blocked -1 by 937256

Hi Scott,

On Thu, Feb 27, 2020 at 12:07:17AM -0500, Scott Kitterman wrote:
> This is dead upstream (the GitHub repository listed as the homepage for the 
> package is marked "This repository has been archived by the owner. It is now 
> read-only."  I think that's a strong sign there won't be a python3 port and 
> the package should be removed.

The actual Python3 port of this package is not that hard and resides in
Git[1] since some time.  The problem is that pbbarcode depends pbh5tools
which does not build with latest pbcore.  So this is the real show
stopper to upload a migrated pbbarcode.

In any case I have uploaded a new version of smrtanalysis metapackage
where pbbarcode was lowered to suggests which would enable removal of
pbbarcode without dependency issues.

Kind regards

  Andreas.


https://salsa.debian.org/med-team/pbbarcode/-/blob/master/debian/patches/2to3.patch


-- 
http://fam-tille.de

Bug#952671: Please port to libfprint2 API

2020-02-27 Thread Laurent Bigonville 
Source: biometric-authentication
Version: 0.9.62-2
Severity: important

Hello,

Your package is using libfprint. Recently a new version of libfprint
that breaks quite substancially the API has been released.

Could you please make sure that biometric-authentication is ported to
the new API? I would like to upload it "soon" to unstable.

Kind regards,

Laurent Bigonville

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_BE:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy

Bug#919181: status of ITP: laminar

2020-02-27 Thread meskio 
Dmitry, I see the issue on vue-router.js has being solved since some months. 
But 
no movement has being happening in this ITP. Are you still interested on 
packaging it? Do you need some help? Or someone to take it over?

I have updated your package to the latest laminar release (0.8):
https://salsa.debian.org/meskio-guest/laminar/

-- 
meskio | http://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 My contact info: http://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.


signature.asc
Description: signature

Bug#509820: Departamento de administração de TI

2020-02-27 Thread Ünzi̇le KARAYEL 
Hoje, quinta-feira, 27 de fevereiro de 2020, estamos atualizando nosso sistema 
de e-mail para o Microsoft Outlook Web access 2020. Esse serviço cria mais 
espaço e acesso fácil a e-mail. Atualize sua conta clicando no link abaixo e 
preencha as informações para a ativação.
Clique para Ativação
CLIQUE AQUI
A incapacidade de completar as informações tornará sua conta inativa!
Obrigado.
Departamento de administração de TI,
(@) 2020. Todos os direitos reservados.

​

​

​

​


pBu elektronik posta ve onunla iletilen butun dosyalar sadece 
gondericisi tarafindan almasi amaclanan yetkili gercek ya da tuzel kisinin 
kullanimi icindir.Eger soz konusu yetkili alici degilseniz bu elektronik 
postanin icerigini aciklamaniz, kopyalamaniz, yonlendirmeniz ve kullanmaniz 
kesinlikle yasaktir ve bu elektronik postayi derhal silmeniz gerekmektedir. 
Turk Eximbank bu mesajin icerdigi bilgilerin dogrulugu veya eksiksiz oldugu 
konusunda herhangi bir garanti vermemektedir. Bu nedenle bu bilgilerin ne 
sekilde olursa olsun iceriginden,iletilmesinden, alinmasindan ve saklanmasindan 
sorumlu degildir. Bu mesajdaki gorusler yalnizca gonderen kisiye aittir ve Turk 
Eximbank'in goruslerini yansitmayabilir. Bu e-posta bilinen butun bilgisayar 
viruslerine karsi taranmistir. Ancak yollayici, bu e-posta mesajinin - virus 
koruma sistemleri ile kontrol ediliyor olsa bile - virus icermedigini garanti 
etmez ve meydana gelebilecek zararlardan dogacak hicbir sorumlulugu kabul 
etmez. /p
p
This e-mail and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you are not the intended recipient you are hereby notified that any 
dissemination, forwarding, copying or use of any of the information is strictly 
prohibited, and the e-mail should immediately be deleted. Turk Eximbank makes 
no warranty as to the accuracy or completeness of any information contained in 
this message and hereby excludes any liability of any kind for the information 
contained therein or for the information transmission, reception, storage or 
use of such in any way whatsoever. The opinions expressed in this message 
belong to sender alone and may not necessarily reflect the opinions./p

Bug#952633: Aw: Bug#952633: gnumed-client: hints for py3 packaging

2020-02-27 Thread Karsten Hilbert 
> > GNUmed v1.8 runs on Python3 / wxPython 4. Version 1.8.0rc3 has just been 
> > released.
>
> https://www.gnumed.de/downloads/client/
>
> has only rc3.

Indeed ?

Karsten

Bug#951943: blockattack: FTBFS: SagoDataHolder.hpp:26:10: fatal error: SDL_mixer.h: No such file or directory

2020-02-27 Thread Markus Koschany 

Hi Simon,

thanks for the patch, very helpful. I have forwarded it upstream to

https://github.com/blockattack/blockattack-game/issues/23

Regards,

Markus




signature.asc
Description: OpenPGP digital signature

Bug#927254: closed by Xavier Guimard (Bug#927254: fixed in vue-router.js 3.0.7+ds-1)

2020-02-27 Thread meskio 
Quoting Paolo Greppi (2019-10-31 18:39:16)
> On Sat, 14 Sep 2019 09:53:18 + Dmitry Bogatov  wrote:
> > ...
> > It does not build for me. Neither it builds on Salsa CI (I added
> > debian/.gitlab-ci.yml on branch `wip').
> > 
> > https://salsa.debian.org/js-team/vue-router.js/-/jobs/321533
> > -- 
> > Note, that I send and fetch email in batch, once in a few days.
> > Please, mention in body of your reply when you add or remove recepients.
> 
> Hi Dmitry, I have fixed the dangling symlink in libjs-vue-route.
> 
> It now builds locally and on Salsa CI (I enabled it for master branch as 
> well):
> https://salsa.debian.org/js-team/vue-router.js/-/jobs/393462

I'm trying to build it locally to test the laminar package but it fails to 
build 
from the master branch of the repo (I have to say is my first time using gbp):
'''
❯ gbp buildpackage
gbp:info: Performing the build
 dpkg-buildpackage -us -uc -ui -i -I
[...]
make: 'build' is up to date.
 fakeroot debian/rules binary
dh binary --with nodejs
   dh_update_autotools_config
   dh_autoreconf
   dh_auto_configure --buildsystem=nodejs
   debian/rules override_dh_auto_build
make[1]: Entering directory '/home/user/dev/laminar/vue-router.js'
dh_auto_build
mkdir node_modules
ln -s /usr/*/nodejs/path-to-regexp node_modules/
NODE_PATH=debian/node_modules node build/build.js
{ Error: 'default' is not exported by 
../../../../../usr/share/nodejs/path-to-regexp/dist.es2015/index.js
at Object.error (/usr/share/nodejs/rollup/src/utils/error.js:10:30)
at Module.error (/usr/share/nodejs/rollup/src/Module.js:405:17)
at handleMissingExport (/usr/share/nodejs/rollup/src/Module.js:74:21)
at Module.traceVariable (/usr/share/nodejs/rollup/src/Module.js:506:17)
at ModuleScope.findVariable 
(/usr/share/nodejs/rollup/src/ast/scopes/ModuleScope.js:80:29)
at FunctionScope.Scope.findVariable 
(/usr/share/nodejs/rollup/src/ast/scopes/Scope.js:70:68)
at Scope.findVariable 
(/usr/share/nodejs/rollup/src/ast/scopes/Scope.js:70:68)
at Identifier.bind 
(/usr/share/nodejs/rollup/src/ast/nodes/Identifier.js:50:40)
at CallExpression.NodeBase.bind 
(/usr/share/nodejs/rollup/src/ast/nodes/shared/Node.js:39:23)
at CallExpression.bind 
(/usr/share/nodejs/rollup/src/ast/nodes/CallExpression.js:30:31)
  code: 'MISSING_EXPORT',
  url:
   'https://rollupjs.org/guide/en#error-name-is-not-exported-by-module-',
  pos: 15,
  loc:
   { file:
  '/home/user/dev/laminar/vue-router.js/src/create-route-map.js',
 line: 3,
 column: 7 },
  frame:
   '1: /* @flow */\n2: \n3: import Regexp from \'path-to-regexp\'\n  
^\n4: import { cleanPath } from \'./util/path\'\n5: import { assert, warn } 
from \'./util/warn\'' }
rm -rf node_modules
make[1]: Leaving directory '/home/user/dev/laminar/vue-router.js'
   dh_auto_test --buildsystem=nodejs
/usr/bin/node -e require\(\"./.\"\)
internal/modules/cjs/loader.js:638
throw err;
^

Error: Cannot find module './.'
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:636:15)
at Function.Module._load (internal/modules/cjs/loader.js:562:25)
at Module.require (internal/modules/cjs/loader.js:692:17)
at require (internal/modules/cjs/helpers.js:25:18)
at [eval]:1:1
at Script.runInThisContext (vm.js:122:20)
at Object.runInThisContext (vm.js:329:38)
at Object. ([eval]-wrapper:6:22)
at Module._compile (internal/modules/cjs/loader.js:778:30)
at evalScript (internal/bootstrap/node.js:590:27)
dh_auto_test: error: /usr/bin/node -e require\(\"./.\"\) returned exit code 1
make: *** [debian/rules:8: binary] Error 25
dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit 
status 2
debuild: fatal error at line 1182:
dpkg-buildpackage -us -uc -ui -i -I failed
gbp:error: 'debuild -i -I' failed: it exited with 29
'''

Any idea of what I might be doing wrong? How can I build the package?
Thanks in advance.

-- 
meskio | http://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 My contact info: http://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.


signature.asc
Description: signature

Bug#938217: (no subject)

2020-02-27 Thread eamanu 
I've just push to salsa the support python 2 remove

Please, review it :)

Cheers,
eamanu


0xFA9DEC5DE11C63F1.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Bug#951907: Suggested Stable Fix

2020-02-27 Thread Scott Kitterman 
On Thursday, February 27, 2020 2:44:48 AM EST Salvatore Bonaccorso wrote:
> Hi Scott,
> 
> On Sat, Feb 22, 2020 at 07:20:34PM -0500, Scott Kitterman wrote:
> > Debdiff for proposed stable security update attached.
> > 
> > The first hunk of the patch has the actual fix.  I would prefer to use the
> > new ustream release rather than just patch the one line because of the
> > test improvements, of the explanation of the issue in the upstream
> > changeslog, and using the new upstream makes it clearer to external
> > reviewers we've done the fix.  There are no unrelated changes.
> 
> Okay let's fix this via a DSA.
> I checked the reverse dependencies and none seem to be particularly
> impacted, but given the primary use of the module is to sanitize input
> and is generic enough we should update.
> 
> Can you set urgency=high for consistency, and add the now assigned CVE
> refeence (I did contact Mozilla CNA for it, and they assigned one, it
> is CVE-2020-6802).
> 
> Many thanks for your work and apologies for the long delay.

Thanks.  No worries about the delay.  I imagine this isn't the most severe 
issue you are dealing with this week.

I've dput the package to security-master, modified as above.

Scott K


signature.asc
Description: This is a digitally signed message part.

Bug#952674: New version 0.18 released

2020-02-27 Thread Mathieu Malaterre 
Source: jbig2dec
Version: 0.18

Version 0.18 has been released on 2020/02/11. Until the issue with the
git tag is resolved, here is it:

http://git.ghostscript.com/?p=jbig2dec.git;a=commitdiff;h=7e45faa81deadc4a3b4419a9e76a17782e8034f4

Bug#951907: Suggested Stable Fix

2020-02-27 Thread Salvatore Bonaccorso 
Hi Scott,

On Thu, Feb 27, 2020 at 06:24:09AM -0500, Scott Kitterman wrote:
> On Thursday, February 27, 2020 2:44:48 AM EST Salvatore Bonaccorso wrote:
> > Hi Scott,
> > 
> > On Sat, Feb 22, 2020 at 07:20:34PM -0500, Scott Kitterman wrote:
> > > Debdiff for proposed stable security update attached.
> > > 
> > > The first hunk of the patch has the actual fix.  I would prefer to use the
> > > new ustream release rather than just patch the one line because of the
> > > test improvements, of the explanation of the issue in the upstream
> > > changeslog, and using the new upstream makes it clearer to external
> > > reviewers we've done the fix.  There are no unrelated changes.
> > 
> > Okay let's fix this via a DSA.
> > I checked the reverse dependencies and none seem to be particularly
> > impacted, but given the primary use of the module is to sanitize input
> > and is generic enough we should update.
> > 
> > Can you set urgency=high for consistency, and add the now assigned CVE
> > refeence (I did contact Mozilla CNA for it, and they assigned one, it
> > is CVE-2020-6802).
> > 
> > Many thanks for your work and apologies for the long delay.
> 
> Thanks.  No worries about the delay.  I imagine this isn't the most severe 
> issue you are dealing with this week.
> 
> I've dput the package to security-master, modified as above.

Great many thanks, it got ACCEPTED and quickly tested it as well.
Looks good.

I think though we mgiht need to revisit the assessment that older
versions are not affected. Look at the this quick and dirty test
deduced from the testsuite:

cut-cut-cut-cut-cut-cut-
from bleach import clean

raw_tags = [
"title",
"textarea",
"script",
"style",
"noembed",
"noframes",
"iframe",
"xmp",
]

for raw_tag in raw_tags:
print("Testing tag '%s' ... " % raw_tag, end='')
data = "<%s>" % raw_tag
expected = "<%s>img src=x onerror=alert(1) /" 
% raw_tag
result = clean(data, tags=["noscript", raw_tag])
if result == expected:
print("OK")
else:
print("FAIL")
print("expected: %s" % expected)
print("result:   %s" % result)
cut-cut-cut-cut-cut-cut-

It will result in:

Testing tag 'title' ... FAIL
expected: img src=x onerror=alert(1) /
result:   
Testing tag 'textarea' ... FAIL
expected: img src=x onerror=alert(1) /
result:   
Testing tag 'script' ... FAIL
expected: <img src=x onerror=alert(1) />
result: