|
|
Subscribe / Log in / New account

Debian alert DLA-2606-1 (lxml)



From:
              Thorsten Alteholz <debian@alteholz.de>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 2606-1] lxml security update


Date:
              Wed, 24 Mar 2021 18:10:42 +0000


Message-ID:
              <alpine.DEB.2.21.2103241809410.5333@postfach.intern.alteholz.me>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2606-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
March 24, 2021                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : lxml
Version        : 3.7.1-1+deb9u4
CVE ID         : CVE-2021-28957


An issue has been found in lxml, a pythonic binding for the libxml2 and 
libxslt libraries.

Due to missing input sanitization, XSS is possible for the HTML5 
formaction attribute.


For Debian 9 stretch, this problem has been fixed in version
3.7.1-1+deb9u4.

We recommend that you upgrade your lxml packages.

For the detailed security status of lxml please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lxml

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmBbgKJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEcjHQ//cA6P4tdJCOA4LZ+fuSAufLAn3jUCPLvBZ37HZGRuyUqZnfLOSukaBH08
r2XgGZHKUpLgqo52ARXiKzTup3GgiLJxIHwZ1lAnF+7h+F9wtUTJq/B1kgYonxAn
UZ/19mn/rv88j/JU3ZZ578Sxbrdss0Cms5wyckm+qMOXiE23logm1QUFR1Ocme7R
ODoRw3MzYcnka57FHE16SbXjNRixVNTNEb4HmzFykBcHguUP+AaKXanXgBZqe5z5
YbPhIKfhyEQ8tvrUUgNYhmMUUj15ZfhJM++mw0ne+ny2CB3b7BJfBS8mOh4ZnWOT
Up9hIqRQ7enfFGzMXHK/+dBNUbe7BkaAHFq9HSWdRqw+iQOrY8lM1sT10ztg2EVO
T0ydZCgZ9PdBthZ6t7OW9dt5ZwHGvdXoC9TzYbeBeJa+zmIgcr7e/ks3LzpqRoxS
ZyV/ad8AdjSW19WiQCEjWA5OUIOt/ShwEqxHUvj9f9dNc/3ujMAEJ/pNB/ebA3uj
OJYPJ2GKteb5fxZNDaMo/ZP63xmuJxMdNb/+Yl9jqqkDN7MG+cpCrr4ThvjnSkXz
2BI6wjD/ElLUmcTZf2JnfJzIMsOLzhpbLVMo1LrucmMo2Zd4P0mwWgxUoTuf8i/y
JzM5UL/LxzWM0vpPa8jE4pgSamNAZzM6JuCOFyLJ/Q+GvSfqRKc=
=w/Lg
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds