New Debian lxml 3.4.0-1+deb8u1 fixes: This update addresses the following issues: * An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. (CVE-2018-19787)
--- mirror/ftp/4.2/unmaintained/4.2-0/source/lxml_3.4.0-1.dsc +++ apt/ucs_4.2-0-errata4.2-5/source/lxml_3.4.0-1+deb8u1.dsc @@ -1,3 +1,8 @@ +3.4.0-1+deb8u1 [Mon, 10 Dec 2018 09:39:10 +0100] Chris Lamb <lamby@debian.org>: + + * CVE-2018-19787: Prevent an XSS injection vulnerability where LXML did not + remove "javascript:" URLs that used escaping. + 3.4.0-1 [Thu, 11 Sep 2014 21:17:44 +0200] Matthias Klose <doko@debian.org>: * New upstream version 3.4.0. <http://10.200.17.11/4.2-5/#9012089874836130717>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.2-5] fdeedb2eaf Bug #48308: lxml 3.4.0-1+deb8u1 doc/errata/staging/lxml.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) [4.2-5] 42f68919e0 Bug #48308: lxml 3.4.0-1+deb8u1 doc/errata/staging/lxml.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
<http://errata.software-univention.de/ucs/4.2/563.html>