python-lxml-4.2.3-3.el8

エラータID: AXSA:2021-2726:02

Release date: 
Monday, December 13, 2021 - 16:24
Subject: 
python-lxml-4.2.3-3.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

lxml is an XML processing library providing access to libxml2 and libxslt libraries using the Python ElementTree API.

Security Fix(es):

* python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS (CVE-2021-28957)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-28957
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

Solution: 

Update packages.

CVEs: 
CVE-2021-28957
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
Additional Info: 

N/A

Download: 

SRPMS
  1. python-lxml-4.2.3-3.el8.src.rpm
    MD5: c041428079b68390d989fbc5d3b90aed
    SHA-256: 0957c7aeb6796afaa74370a53600bd4399f16ba37f513e1cc4d0b5184c7c06bc
    Size: 4.28 MB

Asianux Server 8 for x86_64
  1. python3-lxml-4.2.3-3.el8.x86_64.rpm
    MD5: 3046879e44a20e5063bc1e60ac7b41f2
    SHA-256: 72f03bf1c5ceeee664e9f61a090a4d061c11905bdce3892a1d889fdc0fa04864
    Size: 1.50 MB