UbuntuUpdates.org

Package "python-lxml"

Name: python-lxml

Description:

pythonic binding for the libxml2 and libxslt libraries
Latest version: 4.5.0-1ubuntu0.5
Release: focal (20.04)
Level: security
Repository: universe
Head package: lxml
Homepage: http://lxml.de/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python-lxml"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "python-lxml" in Focal

Repository Area Version
base universe 4.5.0-1
updates universe 4.5.0-1ubuntu0.5

Changelog

Version: 4.5.0-1ubuntu0.5 2022-01-12 15:07:17 UTC

  lxml (4.5.0-1ubuntu0.5) focal-security; urgency=medium

  * SECURITY UPDATE: XSS vulnerability
    - debian/patches/CVE-2021-43818-*.patch: prevent "@import"
      from re-occurring in the CSS after replacements and remove
      SVG image data URLs since they can embed script content in
      src/lxml/html/clean.py, src/html/tests/test_clean.py.
    - CVE-2021-43818

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 04 Jan 2022 09:33:10 -0300
Source diff to previous version
CVE-2021-43818 lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted scri

Version: 4.5.0-1ubuntu0.3 2021-03-30 18:06:24 UTC

  lxml (4.5.0-1ubuntu0.3) focal-security; urgency=medium

  * SECURITY UPDATE: incorrect formaction attribute input sanitization
    - debian/patches/CVE-2021-28957.patch: add HTML-5 formaction attribute
      to defs.link_attrs in src/lxml/html/defs.py,
      src/lxml/html/tests/test_clean.py.
    - CVE-2021-28957

 -- Marc Deslauriers <email address hidden> Mon, 29 Mar 2021 12:04:02 -0400
Source diff to previous version
CVE-2021-28957 lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not d

Version: 4.5.0-1ubuntu0.2 2020-12-11 18:06:42 UTC

  lxml (4.5.0-1ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: XSS vulnerability
    - debian/patches/CVE-2020-27783-part2*.patch:
      This adds the missing part reported from upstream
      Prevent combinations of <noscript> and <style> to sneak
      JS through the HTML cleaner in src/lxml/html/clean.py,
      src/lxml/html/tests/test_clean.py.
    - CVE-2020-27783
  * Adding --with-cython to debian/rules in order to it build compile the .py
    files changed and regenerate the .c files to the binaries.

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 09 Dec 2020 21:56:41 -0300
Source diff to previous version
CVE-2020-27783 A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behavi

Version: 4.5.0-1ubuntu0.1 2020-12-09 15:06:28 UTC

  lxml (4.5.0-1ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: XSS vulnerability
    - Prevent combinations of <noscript> and <style> to sneak
      JS through the HTML cleaner in src/lxml/html/clean.py,
      src/lxml/html/tests/test_clean.py.
    - CVE-2020-27783

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 08 Dec 2020 13:54:35 -0300
CVE-2020-27783 A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behavi


About   -   Send Feedback to @ubuntu_updates