Univention Bugzilla – Bug 52451
lxml: Multiple issues (4.4)
Last modified: 2020-12-09 13:11:57 CET
New Debian lxml 3.7.1-1+deb9u1 fixes: This update addresses the following issues: * XSS in lxml.html.clean module in lxml/html/clean.py (CVE-2018-19787) * mXSS due to the use of improper parser (CVE-2020-27783)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/lxml_3.7.1-1.dsc +++ apt/ucs_4.4-0-errata4.4-7/source/lxml_3.7.1-1+deb9u1.dsc @@ -1,3 +1,11 @@ +3.7.1-1+deb9u1 [Thu, 26 Nov 2020 18:38:23 +0530] Abhijith PA <abhijith@debian.org>: + + * Non-maintainer upload by the Debian LTS Team. + * CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module + does not remove javascript: URLs that use escaping. + * CVE-2020-27783: Prevent combinations of <noscript> and <style> to + sneak JavaScript through the HTML cleaner. + 3.7.1-1 [Thu, 05 Jan 2017 19:55:57 +0100] Matthias Klose <doko@debian.org>: * New upstream version 3.7.1. <http://10.200.17.11/4.4-7/#5622458748673695728>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-7] 51a257ef75 Bug #52451: Fix yaml scope doc/errata/staging/lxml.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.4-7] a444d56ed2 Bug #52451: set correct erratalevel for security imports doc/errata/staging/lxml.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.4-7] 287f83e1d1 Bug #52451: yaml doc/errata/staging/lxml.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x830>