[Bug 1319603] Re: python-lxml vulnerable to CVE-2014-3146
Seth Arnold
1319603 at bugs.launchpad.net
Thu May 15 18:17:23 UTC 2014
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3146
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to lxml in Ubuntu.
https://bugs.launchpad.net/bugs/1319603
Title:
python-lxml vulnerable to CVE-2014-3146
Status in “lxml” package in Ubuntu:
New
Bug description:
Description: Ubuntu 12.04.4 LTS
Release: 12.04
python-lxml:
Installed: 2.3.2-1
Candidate: 2.3.2-1
Version table:
*** 2.3.2-1 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
100 /var/lib/dpkg/status
lxml.html.clean_html fails to appropriately escape javascript in the presence of escaped control characters.
Example PoC:
http://seclists.org/fulldisclosure/2014/Apr/210
This is patched in lxml-3.3.5:
https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxml/+bug/1319603/+subscriptions
More information about the foundations-bugs
mailing list