[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1604-1] lxml security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : lxml
Version        : 3.4.0-1+deb8u1
CVE ID         : CVE-2018-19787

It was discovered that there was a XSS injection vulnerability in
the LXML HTML/XSS manipulation library for Python.

LXML did not remove "javascript:" URLs that used escaping such as
"j a v a s c r i p t". This is a similar issue to CVE-2014-3146.

For Debian 8 "Jessie", this issue has been fixed in lxml version
3.4.0-1+deb8u1.

We recommend that you upgrade your lxml packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlwOKCgACgkQHpU+J9Qx
HlhdXg//biFdjfhdepTGsb/7uZGcEfN8taTd1thjFLOH1SPk/p4soVSC0Yz0LXnb
8aPTYVvY3/fY/knFBxIQiBp6Axn+ywYHk5uR/oziUpdJxyP0cqYAVQpAiY1aXc7Y
IftRmXnhkYYZVUBsSmypE9hsbVW071PrP6Xro3Wh5qTzLdBN5RVnhvfjdIzPonpl
mnYyApVwupQlxdr8/RZzMH3X3I4pQN7uIHbKaZ9AXNXPabhoG94HcgY7e5A+g1u+
7NsQ3IuNAE6qPRKAjpECzs5iJOlcpojWkVwTQItERWRuDFMKwCNs+16J/bnU9uaC
bYe4qQo59l/heyfUnTHczn13b8GckeZh5cnLpPmn9FM6lzFSHUXvpXmFSyShOs6A
nWMtzEnldodgUMTacQkDgc/du9ssQty+3rBxepNrkr+NO6uqGwxSQI9YVL6mOsyE
wHK9bqqj0jWHbFHOfkqKgE6+ylKgrs+r9R9FeTnmoCP+aSG6scXcEsWRw190m9AQ
GJp1U/8EiREsyjKcMGrrJGgsvYLPzB4Q9tuyzR8jiIrRtWziXhBf7DpABpdVal3J
Ee3831X7DSGqETtuHjN5vhO1SnOrRbC5BT7iLMoROLWlhkwmc8LuQ/tmtuwnJ6S/
Yt7dg6PDuZiRvDlwH4ICEa5SQetvk1vanOralJQHbJHTrMYIYRs=
=I6o7
-----END PGP SIGNATURE-----


Reply to: