Debian alert DLA-1604-1 (lxml)

From: Chris Lamb <lamby@debian.org> To: debian-lts-announce@lists.debian.org Subject: [SECURITY] [DLA 1604-1] lxml security update Date: Mon, 10 Dec 2018 09:47:41 +0100 Message-ID: <1544431661.3412569.1604306304.036377CB@webmail.messagingengine.com>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : lxml Version : 3.4.0-1+deb8u1 CVE ID : CVE-2018-19787 It was discovered that there was a XSS injection vulnerability in the LXML HTML/XSS manipulation library for Python. LXML did not remove "javascript:" URLs that used escaping such as "j a v a s c r i p t". This is a similar issue to CVE-2014-3146. For Debian 8 "Jessie", this issue has been fixed in lxml version 3.4.0-1+deb8u1. We recommend that you upgrade your lxml packages. Regards, - -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `- -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlwOKCgACgkQHpU+J9Qx HlhdXg//biFdjfhdepTGsb/7uZGcEfN8taTd1thjFLOH1SPk/p4soVSC0Yz0LXnb 8aPTYVvY3/fY/knFBxIQiBp6Axn+ywYHk5uR/oziUpdJxyP0cqYAVQpAiY1aXc7Y IftRmXnhkYYZVUBsSmypE9hsbVW071PrP6Xro3Wh5qTzLdBN5RVnhvfjdIzPonpl mnYyApVwupQlxdr8/RZzMH3X3I4pQN7uIHbKaZ9AXNXPabhoG94HcgY7e5A+g1u+ 7NsQ3IuNAE6qPRKAjpECzs5iJOlcpojWkVwTQItERWRuDFMKwCNs+16J/bnU9uaC bYe4qQo59l/heyfUnTHczn13b8GckeZh5cnLpPmn9FM6lzFSHUXvpXmFSyShOs6A nWMtzEnldodgUMTacQkDgc/du9ssQty+3rBxepNrkr+NO6uqGwxSQI9YVL6mOsyE wHK9bqqj0jWHbFHOfkqKgE6+ylKgrs+r9R9FeTnmoCP+aSG6scXcEsWRw190m9AQ GJp1U/8EiREsyjKcMGrrJGgsvYLPzB4Q9tuyzR8jiIrRtWziXhBf7DpABpdVal3J Ee3831X7DSGqETtuHjN5vhO1SnOrRbC5BT7iLMoROLWlhkwmc8LuQ/tmtuwnJ6S/ Yt7dg6PDuZiRvDlwH4ICEa5SQetvk1vanOralJQHbJHTrMYIYRs= =I6o7 -----END PGP SIGNATURE-----