copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0857 - [Linux][Debian][OSX] lxml: Cross-site scripting - Remote with user interaction

Date: 02 June 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0857
                           lxml security update
                                2 June 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           lxml
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Linux variants
                   OS X
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3146  

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2941

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running lxml check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2941-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
Jun 01, 2014                           http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : lxml
CVE ID         : CVE-2014-3146

It was discovered that clean_html() function of lxml (pythonic bindings 
for the libxml2 and libxslt libraries) performed insufficient 
sanitisation for some non-printable characters. This could lead to 
cross-site scripting.

For the stable distribution (wheezy), this problem has been fixed in
version 2.3.2-1+deb7u1.

For the testing distribution (jessie), this problem has been fixed in
version 3.3.5-1.

For the unstable distribution (sid), this problem has been fixed in
version 3.3.5-1.

We recommend that you upgrade your lxml packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTiuFIAAoJEBDCk7bDfE4206YP/R4EpBfyFfsdt0HMpiL06QSy
mkJLPSXcBd9WjamraFKLbF1BOuL130pljlM9gko129MXhM0lvCWcWInDjX2oRsGL
gJq+NZEUWc4nvEh4ZpxrrLMMkie8mqE6UrLJ6tu0m7wd8j7NQNX7mpsVnBOv5evr
xnoLefTI0UwaZzuEBrB6MEDwh/Yvc7vEH/47dDCHJyKhna6HpkKoiAFH7ZFLobjZ
jFcXJv+rIJjcX1qaM0n7bsrjybU7MaCAzH+RrRnZslAgGfbE5KL4PEscXtfrt70p
pK2KtQ3hCc4ErxHxWORobteij6N5S4fDi754nOEpvKAkUJS6QliochfnmGKKtn58
GafXfqkFAkftvPPfm4BMXqaN2tCvCXkNdCAH3nks+BApsL0EfIuTsu+u1F3T74K+
ih/i69uZr/bmFcDD9p2ocHgJab1JKkn1l84bgDu1QLm8xem86OGQXrczw4DdO4BI
+6IX8bqSlQ+Okcl7Y2X1wiVQ1ItkFvKQOS/4nQc/MouhubBce93VdKy24xCHAKt+
LPKRSN9788yk00P0OdnCPVuAV1Ex+C5GxPoQ9anDqsU/mdV+v4B1O2Xyw/9z61Vc
c9hMqtXjwOvJkVUPoCDn1MMurFavSo+1K/EEKv8AeZvfqnB5TMuA6sBH1eB+2NJ9
ydKRN9LmvrfDM+DV4IeM
=nIOs
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU4vLJxLndAQH1ShLAQI2Ig/+PlGpOaGkCmzdROyz82//LxOL6MnPpQjG
aLEsjgTmVBoZYurZK39IGjIaYL2+i67zjvGctKM5D1J2lwOTnL/sT2fc/W4XXUkD
zYSRyv035EyTuEN2+2PSEWByScIjh2t1jxnvIIg0Bqgd9gfJuioZGQAmvjth4Erz
9EkDsdKBod05eqLf8ludgDr37krJdk5oSS194oo9BYeVk0Zi2Qj4OCWYznM59ovb
vQdrvkHFyhC1DbDUdL84j4MtJ5t9vLsj+UDV0xtijQzvn2dF+mhd6OcOFQqaSEa9
FfzTBvPi5NLo2y4QJCBq47qZzWXuykphS4qMZT3jiXPyArydpVglw7cr9x5kQNW8
obEI8TKkrU4J0ccO8CE0whJjwB6nMYRBZnF3w11wAPeJNfTtGlZ8/Cl7j2WyanUA
d2TIW6vaSoj0zOiPG7I+mkaHzY18CtKzaWGbM44aujneWHTiu52XehQ8kGXCHxL8
X+bGxGVXE4yM3MS2qrQ4VYmxSFrU2rR2ZZt+5FTkGYpkcWZas1ULXyIvm0Z0GMLc
lPhhNaRomrF9zoTlXVYJLhPTuRQY+E9xxD5J+9a6TysS86c+PC765ddX4FaOk9Vu
UJ3anVDK7Q8EnaHWjgZaztIum5W7rTURBMl9pPbqYY2Eqq1vA8NOBQIYU1xbplM7
ea4Gddrxd7Q=
=29rY
-----END PGP SIGNATURE-----