-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3829
                         lxml updated in Debian 8
                             11 December 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           lxml
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-19787  

Reference:         ESB-2018.0847

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running lxml check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : lxml
Version        : 3.4.0-1+deb8u1
CVE ID         : CVE-2018-19787

It was discovered that there was a XSS injection vulnerability in
the LXML HTML/XSS manipulation library for Python.

LXML did not remove "javascript:" URLs that used escaping such as
"j a v a s c r i p t". This is a similar issue to CVE-2014-3146.

For Debian 8 "Jessie", this issue has been fixed in lxml version
3.4.0-1+deb8u1.

We recommend that you upgrade your lxml packages.


Regards,

- - -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlwOKCgACgkQHpU+J9Qx
HlhdXg//biFdjfhdepTGsb/7uZGcEfN8taTd1thjFLOH1SPk/p4soVSC0Yz0LXnb
8aPTYVvY3/fY/knFBxIQiBp6Axn+ywYHk5uR/oziUpdJxyP0cqYAVQpAiY1aXc7Y
IftRmXnhkYYZVUBsSmypE9hsbVW071PrP6Xro3Wh5qTzLdBN5RVnhvfjdIzPonpl
mnYyApVwupQlxdr8/RZzMH3X3I4pQN7uIHbKaZ9AXNXPabhoG94HcgY7e5A+g1u+
7NsQ3IuNAE6qPRKAjpECzs5iJOlcpojWkVwTQItERWRuDFMKwCNs+16J/bnU9uaC
bYe4qQo59l/heyfUnTHczn13b8GckeZh5cnLpPmn9FM6lzFSHUXvpXmFSyShOs6A
nWMtzEnldodgUMTacQkDgc/du9ssQty+3rBxepNrkr+NO6uqGwxSQI9YVL6mOsyE
wHK9bqqj0jWHbFHOfkqKgE6+ylKgrs+r9R9FeTnmoCP+aSG6scXcEsWRw190m9AQ
GJp1U/8EiREsyjKcMGrrJGgsvYLPzB4Q9tuyzR8jiIrRtWziXhBf7DpABpdVal3J
Ee3831X7DSGqETtuHjN5vhO1SnOrRbC5BT7iLMoROLWlhkwmc8LuQ/tmtuwnJ6S/
Yt7dg6PDuZiRvDlwH4ICEa5SQetvk1vanOralJQHbJHTrMYIYRs=
=I6o7
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXA8J/2aOgq3Tt24GAQiFORAAwlk7+160CFRgxPAf1UOHaylISR1lXh+R
KkQdmMYKaQOUJeTWC3js51EwLWNN2Lw0UxTqs9ji4i+K444XsQQ5NuvGfPu8jYTp
jtu867IzOeia45GBed4MIxlZDPwidEFP5XFbocgsz6wjZDWLzCTONeOydVm15g1R
V5+/lnKkRkmLkKrq13pVcDzAhMw7rhdjh6ESFWiKBO/Jy0zjhxIRXs3KfIJNToVx
L3uMUnfC61dAFFHyPQpz9E/w4llSuQg292KhFhDtLnDnRjQy29gq/Vv1dmwLb6ww
2OIc+JJBdCC18LvNUxvd9nQmhry+V7V2N0X/SfH2YltI5slot67ylq4Nc4Dv9GSf
fkbc88xpDE6Pv12S/gOAiiYQ0mtgBO+9JUlOvRyrcsjGQwX16xBv16gjD03McOt+
8OHa/eZamjlPedzURH2RDDk823njX4HKAujymQ9rISp+dZOB7sFBfWpSsnfnrFSD
HljSkvPVk4H3xHEHR9vVpb2yzUf988QCEoPJRslMlZJcZhA8gi6n4ThQ4It/lKbk
1ZR2AUjMu58dNBe9pHRZ7St3ePprtU1wwC7oJ2fz9x3tx5m4UzNNupNrhgbnSkpa
p/LvCaSFgxRrg7N/9OSJ3B7Cp8jx4RpncEoDCTDGUB1aCccoy27fQnitlEMFVQBg
bnbjhPFLJdI=
=+01M
-----END PGP SIGNATURE-----