Univention Bugzilla – Bug 54280
lxml: Multiple issues (4.4)
Last modified: 2022-01-05 17:58:52 CET
New Debian lxml 3.7.1-1+deb9u5 fixes: This update addresses the following issue: * HTML Cleaner allows crafted and SVG embedded scripts to pass through (CVE-2021-43818)
--- mirror/ftp/4.4/unmaintained/4.4-8/source/lxml_3.7.1-1+deb9u4.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/lxml_3.7.1-1+deb9u5.dsc @@ -1,3 +1,11 @@ +3.7.1-1+deb9u5 [Wed, 29 Dec 2021 19:08:30 +0530] Utkarsh Gupta <utkarsh@debian.org>: + + * Non-maintainer upload by the LTS Team. + * Add patch to prevent "@import" from re-occurring in the + CSS after replacements, e.g. "@@importimport" and remove + SVG image data URLs since they can embed script content. + (Fixes: CVE-2021-43818) (Closes: #1001885) + 3.7.1-1+deb9u4 [Tue, 23 Mar 2021 19:03:02 +0100] Thorsten Alteholz <debian@alteholz.de>: * Non-maintainer upload by the LTS Team. <http://piuparts.knut.univention.de/4.4-8/#5622458748678025828>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-8] 8e22c5f488 Bug #54280: lxml 3.7.1-1+deb9u5 doc/errata/staging/lxml.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x1138>