Univention Bugzilla – Bug 54346
lxml: Multiple issues (5.0)
Last modified: 2022-01-19 13:55:37 CET
New Debian lxml 4.3.2-1+deb10u4 fixes: This update addresses the following issue: * HTML Cleaner allows crafted and SVG embedded scripts to pass through (CVE-2021-43818)
--- mirror/ftp/pool/main/l/lxml/lxml_4.3.2-1+deb10u3.dsc +++ apt/ucs_5.0-0-errata5.0-1/source/lxml_4.3.2-1+deb10u4.dsc @@ -1,3 +1,11 @@ +4.3.2-1+deb10u4 [Wed, 12 Jan 2022 17:58:11 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * Cleaner: Prevent "@import" from re-occurring in the CSS after + replacements, e.g. "@@importimport" (CVE-2021-43818) (Closes: #1001885) + * Cleaner: Remove SVG image data URLs since they can embed script content + (CVE-2021-43818) (Closes: #1001885) + 4.3.2-1+deb10u3 [Tue, 23 Mar 2021 19:03:02 +0100] Thorsten Alteholz <debian@alteholz.de>: * Non-maintainer upload by the LTS Team. <http://piuparts.knut.univention.de/5.0-1/#7628451185786939588>
OK: yaml OK: announce_errata OK: patch OK: piuparts
<https://errata.software-univention.de/#/?erratum=5.0x189>