* CVE 2018-19787 https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109 "An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by 'j a v a s c r i p t:' in Internet Explorer. This is a similar issue to CVE-2014-3146." -- CVE listing
Appears fixed in 4.2.5, so I suppose a call to stabilize dev-python/lxml-4.2.5 would be in order. * https://github.com/lxml/lxml/blob/master/CHANGES.txt#L44 -- Gentoo Security Scout Vladimir Krstulja
Arches, please stabilize.
ia64/ppc/ppc64 stable
sparc stable
x86 stable
amd64 stable
hppa stable
alpha stable
arm stable
s390 stable
arm64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5017aebd8f4aaa096076cdde32a039188b6702b6 commit 5017aebd8f4aaa096076cdde32a039188b6702b6 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2019-01-07 20:44:33 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2019-01-07 20:44:33 +0000 dev-python/lxml: remove old Bug: https://bugs.gentoo.org/672874 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 dev-python/lxml/Manifest | 2 - .../lxml/files/lxml-3.6.4-fix-test_xmlschema.patch | 36 ---------- dev-python/lxml/lxml-4.1.1.ebuild | 80 --------------------- dev-python/lxml/lxml-4.2.6.ebuild | 82 ---------------------- 4 files changed, 200 deletions(-)
Cleanup done.