Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0857 lxml security update 2 June 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: lxml Publisher: Debian Operating System: Debian GNU/Linux 7 Linux variants OS X Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-3146 Original Bulletin: http://www.debian.org/security/2014/dsa-2941 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running lxml check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2941-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff Jun 01, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : lxml CVE ID : CVE-2014-3146 It was discovered that clean_html() function of lxml (pythonic bindings for the libxml2 and libxslt libraries) performed insufficient sanitisation for some non-printable characters. This could lead to cross-site scripting. For the stable distribution (wheezy), this problem has been fixed in version 2.3.2-1+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 3.3.5-1. For the unstable distribution (sid), this problem has been fixed in version 3.3.5-1. We recommend that you upgrade your lxml packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTiuFIAAoJEBDCk7bDfE4206YP/R4EpBfyFfsdt0HMpiL06QSy mkJLPSXcBd9WjamraFKLbF1BOuL130pljlM9gko129MXhM0lvCWcWInDjX2oRsGL gJq+NZEUWc4nvEh4ZpxrrLMMkie8mqE6UrLJ6tu0m7wd8j7NQNX7mpsVnBOv5evr xnoLefTI0UwaZzuEBrB6MEDwh/Yvc7vEH/47dDCHJyKhna6HpkKoiAFH7ZFLobjZ jFcXJv+rIJjcX1qaM0n7bsrjybU7MaCAzH+RrRnZslAgGfbE5KL4PEscXtfrt70p pK2KtQ3hCc4ErxHxWORobteij6N5S4fDi754nOEpvKAkUJS6QliochfnmGKKtn58 GafXfqkFAkftvPPfm4BMXqaN2tCvCXkNdCAH3nks+BApsL0EfIuTsu+u1F3T74K+ ih/i69uZr/bmFcDD9p2ocHgJab1JKkn1l84bgDu1QLm8xem86OGQXrczw4DdO4BI +6IX8bqSlQ+Okcl7Y2X1wiVQ1ItkFvKQOS/4nQc/MouhubBce93VdKy24xCHAKt+ LPKRSN9788yk00P0OdnCPVuAV1Ex+C5GxPoQ9anDqsU/mdV+v4B1O2Xyw/9z61Vc c9hMqtXjwOvJkVUPoCDn1MMurFavSo+1K/EEKv8AeZvfqnB5TMuA6sBH1eB+2NJ9 ydKRN9LmvrfDM+DV4IeM =nIOs - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU4vLJxLndAQH1ShLAQI2Ig/+PlGpOaGkCmzdROyz82//LxOL6MnPpQjG aLEsjgTmVBoZYurZK39IGjIaYL2+i67zjvGctKM5D1J2lwOTnL/sT2fc/W4XXUkD zYSRyv035EyTuEN2+2PSEWByScIjh2t1jxnvIIg0Bqgd9gfJuioZGQAmvjth4Erz 9EkDsdKBod05eqLf8ludgDr37krJdk5oSS194oo9BYeVk0Zi2Qj4OCWYznM59ovb vQdrvkHFyhC1DbDUdL84j4MtJ5t9vLsj+UDV0xtijQzvn2dF+mhd6OcOFQqaSEa9 FfzTBvPi5NLo2y4QJCBq47qZzWXuykphS4qMZT3jiXPyArydpVglw7cr9x5kQNW8 obEI8TKkrU4J0ccO8CE0whJjwB6nMYRBZnF3w11wAPeJNfTtGlZ8/Cl7j2WyanUA d2TIW6vaSoj0zOiPG7I+mkaHzY18CtKzaWGbM44aujneWHTiu52XehQ8kGXCHxL8 X+bGxGVXE4yM3MS2qrQ4VYmxSFrU2rR2ZZt+5FTkGYpkcWZas1ULXyIvm0Z0GMLc lPhhNaRomrF9zoTlXVYJLhPTuRQY+E9xxD5J+9a6TysS86c+PC765ddX4FaOk9Vu UJ3anVDK7Q8EnaHWjgZaztIum5W7rTURBMl9pPbqYY2Eqq1vA8NOBQIYU1xbplM7 ea4Gddrxd7Q= =29rY -----END PGP SIGNATURE-----