Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 10 articles for you...
91
security advisoryGentoonormal severityGentoo: 202209-01 Update: sqlalchemy Detected Vulnerability Risks
Multiple vulnerabilities have been discovered in lxml, the worst of which could result in denial of service.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202208-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: lxml: Multiple Vulnerabilities Date: August 10, 2022 Bugs: #777579, #829053, #856598 ID: 202208-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been discovered in lxml, the worst of which could result in denial of service. Background ========= lxml is a Pythonic binding for the libxml2 and libxslt libraries. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-python/lxml < 4.9.1 > = 4.9.1 Description ========== Multiple vulnerabilities have been discovered in lxml. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All lxml users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-python/lxml-4.9.1" References ========= [ 1 ] CVE-2021-28957 https://nvd.nist.gov/vuln/detail/CVE-2021-28957 [ 2 ] CVE-2021-43818 https://nvd.nist.gov/vuln/detail/CVE-2021-43818 [ 3 ] CVE-2022-2309 https://nvd.nist.gov/vuln/detail/CVE-2022-2309 [ 4 ] GHSL-2021-1037 [ 5 ] GHSL-2021-1038 Availability =========== This GLSA and any updates to it are available for viewing at theGentoo Security Website: https://security.gentoo.org/glsa/202208-06 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Aug 09, 2022
Gentoo
98
security advisorymoderateRed HatRed Hat Software Collections RHSA-2022-1664-01 Moderate HTML Cleaner Threat
An update for rh-python38-python, rh-python38-python-lxml, and rh-python38-python-pip is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Software Collections security update Advisory ID: RHSA-2022:1664-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2022:1664 Issue date: 2022-05-02 CVE Names: CVE-2021-43818 ==================================================================== 1. Summary: An update for rh-python38-python, rh-python38-python-lxml, and rh-python38-python-pip is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: lxml is an XML processing library providing access to libxml2 and libxslt libraries using the Python ElementTree API. Security Fix(es): * python-lxml: HTML Cleaner allows crafted and SVG embedded scripts to pass through (CVE-2021-43818) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, referto: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2032569 - CVE-2021-43818 python-lxml: HTML Cleaner allows crafted and SVG embedded scripts to pass through 2064443 - SCL Python 3.8: pip contains bundled pre-built exe files in site-packages/pip/_vendor/distlib/ [rhscl-3.8.z] 2068592 - Rebase the python3.8 interpreter to version 3.8.13 [rhscl-3.8.z] 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v.7): Source: rh-python38-python-3.8.13-1.el7.src.rpm rh-python38-python-lxml-4.4.1-8.el7.src.rpm rh-python38-python-pip-19.3.1-3.el7.src.rpm noarch: rh-python38-python-pip-19.3.1-3.el7.noarch.rpm rh-python38-python-pip-wheel-19.3.1-3.el7.noarch.rpm rh-python38-python-rpm-macros-3.8.13-1.el7.noarch.rpm rh-python38-python-srpm-macros-3.8.13-1.el7.noarch.rpm ppc64le: rh-python38-python-3.8.13-1.el7.ppc64le.rpm rh-python38-python-debug-3.8.13-1.el7.ppc64le.rpm rh-python38-python-debuginfo-3.8.13-1.el7.ppc64le.rpm rh-python38-python-devel-3.8.13-1.el7.ppc64le.rpm rh-python38-python-idle-3.8.13-1.el7.ppc64le.rpm rh-python38-python-libs-3.8.13-1.el7.ppc64le.rpm rh-python38-python-lxml-4.4.1-8.el7.ppc64le.rpm rh-python38-python-lxml-debuginfo-4.4.1-8.el7.ppc64le.rpm rh-python38-python-test-3.8.13-1.el7.ppc64le.rpm rh-python38-python-tkinter-3.8.13-1.el7.ppc64le.rpm s390x: rh-python38-python-3.8.13-1.el7.s390x.rpm rh-python38-python-debug-3.8.13-1.el7.s390x.rpm rh-python38-python-debuginfo-3.8.13-1.el7.s390x.rpm rh-python38-python-devel-3.8.13-1.el7.s390x.rpm rh-python38-python-idle-3.8.13-1.el7.s390x.rpm rh-python38-python-libs-3.8.13-1.el7.s390x.rpm rh-python38-python-lxml-4.4.1-8.el7.s390x.rpm rh-python38-python-lxml-debuginfo-4.4.1-8.el7.s390x.rpm rh-python38-python-test-3.8.13-1.el7.s390x.rpm rh-python38-python-tkinter-3.8.13-1.el7.s390x.rpm x86_64: rh-python38-python-3.8.13-1.el7.x86_64.rpm rh-python38-python-debug-3.8.13-1.el7.x86_64.rpm rh-python38-python-debuginfo-3.8.13-1.el7.x86_64.rpm rh-python38-python-devel-3.8.13-1.el7.x86_64.rpm rh-python38-python-idle-3.8.13-1.el7.x86_64.rpm rh-python38-python-libs-3.8.13-1.el7.x86_64.rpm rh-python38-python-lxml-4.4.1-8.el7.x86_64.rpm rh-python38-python-lxml-debuginfo-4.4.1-8.el7.x86_64.rpm rh-python38-python-test-3.8.13-1.el7.x86_64.rpm rh-python38-python-tkinter-3.8.13-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v.7): Source: rh-python38-python-3.8.13-1.el7.src.rpm rh-python38-python-lxml-4.4.1-8.el7.src.rpm rh-python38-python-pip-19.3.1-3.el7.src.rpm noarch: rh-python38-python-pip-19.3.1-3.el7.noarch.rpm rh-python38-python-pip-wheel-19.3.1-3.el7.noarch.rpm rh-python38-python-rpm-macros-3.8.13-1.el7.noarch.rpm rh-python38-python-srpm-macros-3.8.13-1.el7.noarch.rpm x86_64: rh-python38-python-3.8.13-1.el7.x86_64.rpm rh-python38-python-debug-3.8.13-1.el7.x86_64.rpm rh-python38-python-debuginfo-3.8.13-1.el7.x86_64.rpm rh-python38-python-devel-3.8.13-1.el7.x86_64.rpm rh-python38-python-idle-3.8.13-1.el7.x86_64.rpm rh-python38-python-libs-3.8.13-1.el7.x86_64.rpm rh-python38-python-lxml-4.4.1-8.el7.x86_64.rpm rh-python38-python-lxml-debuginfo-4.4.1-8.el7.x86_64.rpm rh-python38-python-test-3.8.13-1.el7.x86_64.rpm rh-python38-python-tkinter-3.8.13-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2021-43818 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYm+vntzjgjWX9erEAQi/gg/8CuTnUa8Ds0aFv3nwfjfiZcq3N8VWxTHB kdG/iamBiMPAjPMRPFB7HqetmzbmbzB3Qc/1QYbRvnkYGGUoDzdhxlwjhb9lkgwU rfWtpB4A4ryffT+V2va/8GDBnipLGmT9Myg0CcJmQ+gi75zB/+nGgAGCoxpJGCv7 QDLm+IIKVUpGmDQkny2BSWzA64iQJMz2Kb1gy/igOLHyn4RmJkrt8nqZbLoN1KF7 KnQG6GxMtfai3PmoHBQUA/CsD49V3Z2kYgT6xmq9l3xzYLkIeMSRvEqPdkwGOROP 9l+SV7VvD/lqKTgpfAyAw7BzG5T088ZgMB1MjIHDbU8I0uy2A5PvGjfdW1u35okT CZnpzTPWLeJqDO4rs4YdU8uJRJjm9gA20Ts9I0S1GIT/oJIW3FxElVr1ya2bQQNc OR1ytZvJBfR7QzjkzLIzLUEoyLgRd/gvja59+SYLM3RMxjfcY8OPZk6MbBXvdkwL kY3E2k/W4jCXMXI9bb7okNO/RmGrGQ3Zz526NlOsOJZwtJrqyFILPL1V/bDOFGDW lL1oQnROilEIZY07RpYDw6j042Tp3I0imv3TX6o192dYYJP1ybDNv9jPmcl77Eqt p2r8rtnA0NO8yUwEBUFkoOyI4MBmLmqy7tJCI2r51KvMgyTaaAo087kNnwIbvWG3 lanRNEaBolA=vlmi -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 02, 2022
Red Hat
87
security advisorysecurity updatedebianDebian DSA-5043-1 Lxml Security Update: Cross-Site Scripting Fix
It was discovered that lxml, a Python binding for the libxml2 and libxslt libraries, does not properly sanitize its input, which could lead to cross-site scripting. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-5043-1
Jan 12, 2022
•Critical
Debian
172
security advisorycode executionUbuntuUbuntu 21.10 USN-5225-1: Lxml Critical Arbitrary Code Execution
lxml could be made to execute arbitrary code if it received a specially crafted XML or HTML file.. =========================================================================Ubuntu Security Notice USN-5225-1 January 12, 2022 lxml vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.10 - Ubuntu 21.04 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: lxml could be made to execute arbitrary code if it received a specially crafted XML or HTML file. Software Description: - lxml: pythonic binding for the libxml2 and libxslt libraries Details: It was discovered that lxml incorrectly handled certain XML and HTML files. An attacker could possibly use this issue to execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10: python3-lxml 4.6.3+dfsg-0.1ubuntu0.2 Ubuntu 21.04: python3-lxml 4.6.3-1ubuntu0.2 Ubuntu 20.04 LTS: python-lxml 4.5.0-1ubuntu0.5 python3-lxml 4.5.0-1ubuntu0.5 Ubuntu 18.04 LTS: python-lxml 4.2.1-1ubuntu0.6 python3-lxml 4.2.1-1ubuntu0.6 Ubuntu 16.04 ESM: python-lxml 3.5.0-1ubuntu0.4+esm2 python3-lxml 3.5.0-1ubuntu0.4+esm2 Ubuntu 14.04 ESM: python-lxml 3.3.3-1ubuntu0.2+esm5 python3-lxml 3.3.3-1ubuntu0.2+esm5 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5225-1 CVE-2021-43818 Package Information: https://launchpad.net/ubuntu/+source/lxml/4.6.3+dfsg-0.1ubuntu0.2 https://launchpad.net/ubuntu/+source/lxml/4.6.3-1ubuntu0.2 https://launchpad.net/ubuntu/+source/lxml/4.5.0-1ubuntu0.5 https://launchpad.net/ubuntu/+source/lxml/4.2.1-1ubuntu0.6 . Revise thelxml library to address a major security vulnerability that could enable the execution of arbitrary code from specially designed files.. lxml Update, Ubuntu Security, Code Execution Risk. . Severity: Critical. LinuxSecurity.com Team
Jan 12, 2022
•Critical
Ubuntu
197
security advisorydebianpatchDebian LTS: DLA-2871-1 Moderate: lxml HTML Cleaner Flaw
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. . - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2871-1
Dec 30, 2021
Debian LTS
172
security advisorycriticalXSSUbuntu 14.04 ESM USN-4896-2 Critical: lxml XSS Attack Risk
lxml could allow cross-site scripting (XSS) attacks.. =========================================================================Ubuntu Security Notice USN-4896-2 April 08, 2021 lxml vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 ESM Summary: lxml could allow cross-site scripting (XSS) attacks. Software Description: - lxml: pythonic binding for the libxml2 and libxslt libraries Details: USN-4896-1 fixed a vulnerability in lxml. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: It was discovered that lxml incorrectly handled certain HTML attributes. A remote attacker could possibly use this issue to perform cross-site scripting (XSS) attacks. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM: python-lxml 3.3.3-1ubuntu0.2+esm3 python3-lxml 3.3.3-1ubuntu0.2+esm3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-4896-2 https://ubuntu.com/security/notices/USN-4896-1 CVE-2021-28957 . Ubuntu Security Announcement USN-4896-2 draws attention to the cross-site scripting vulnerability found in lxml within Ubuntu 14.04 ESM.. lxml Vulnerability, Ubuntu Security Advisory, XSS Risk, Python Package Update. . Severity: Critical. LinuxSecurity.com Team
Apr 08, 2021
•Critical
Ubuntu
172
security advisorysoftware patchcross-site scriptingUbuntu 20.10: USN-4896-1 Moderate: lxml Cross-Site Scripting Risk
lxml could allow cross-site scripting (XSS) attacks.. =========================================================================Ubuntu Security Notice USN-4896-1 March 30, 2021 lxml vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: lxml could allow cross-site scripting (XSS) attacks. Software Description: - lxml: pythonic binding for the libxml2 and libxslt libraries Details: It was discovered that lxml incorrectly handled certain HTML attributes. A remote attacker could possibly use this issue to perform cross-site scripting (XSS) attacks. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.10: python3-lxml 4.5.2-1ubuntu0.4 Ubuntu 20.04 LTS: python-lxml 4.5.0-1ubuntu0.3 python3-lxml 4.5.0-1ubuntu0.3 Ubuntu 18.04 LTS: python-lxml 4.2.1-1ubuntu0.4 python3-lxml 4.2.1-1ubuntu0.4 Ubuntu 16.04 LTS: python-lxml 3.5.0-1ubuntu0.4 python3-lxml 3.5.0-1ubuntu0.4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-4896-1 CVE-2021-28957 Package Information: https://launchpad.net/ubuntu/+source/lxml/4.5.2-1ubuntu0.4 https://launchpad.net/ubuntu/+source/lxml/4.5.0-1ubuntu0.3 https://launchpad.net/ubuntu/+source/lxml/4.2.1-1ubuntu0.4 https://launchpad.net/ubuntu/+source/lxml/3.5.0-1ubuntu0.4 . Explore the implications of lxml flaws in Ubuntu that may result in cross-site scripting threats and required upgrades.. lxml Exploits, Ubuntu XSS Attack, Security Patch Ubuntu, lxml Vulnerability Fix. . LinuxSecurity.com Team
Mar 30, 2021
Ubuntu
87
security advisoryupdatecriticalDebian: DSA-4880-1 Critical: lxml Input Sanitization Flaw
Kevin Chung discovered that lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-4880-1
Mar 29, 2021
•Critical
Debian
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!