SUSE-SU-2022:3934-1

Опубликовано: 10 нояб. 2022

Источник: suse-cvrf

Описание

Security update for python3-lxml

This update for python3-lxml fixes the following issues:

CVE-2021-28957: Fixed XSS due to missing input sanitization for HTML5 attributes (bsc#1184177).

Список пакетов

SUSE Linux Enterprise Module for Public Cloud 12

python3-lxml-3.3.5-3.15.1

python3-lxml-doc-3.3.5-3.15.1

Ссылки

https://www.suse.com/support/update/announcement/2022/suse-su-20223934-1/
Link for SUSE-SU-2022:3934-1
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012872.html
E-Mail link for SUSE-SU-2022:3934-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1184177
SUSE Bug 1184177
https://www.suse.com/security/cve/CVE-2021-28957/
SUSE CVE CVE-2021-28957 page

Описание

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

Затронутые продукты

SUSE Linux Enterprise Module for Public Cloud 12:python3-lxml-3.3.5-3.15.1

SUSE Linux Enterprise Module for Public Cloud 12:python3-lxml-doc-3.3.5-3.15.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-28957.html
CVE-2021-28957
https://bugzilla.suse.com/1184177
SUSE Bug 1184177

SUSE-SU-2022:3934-1

Описание

Список пакетов

SUSE Linux Enterprise Module for Public Cloud 12

Ссылки

Уязвимость: CVE-2021-28957

Описание

Затронутые продукты

Ссылки