From ${URL} : The lxml.html.clean module cleans up HTML by removing embedded or script content, special tags, CSS style annotations and much more. It was found [1] that the clean_html() function, provided by the lxml.html.clean module, did not properly clean HTML input if it included non-printed characters (\x01-\x08). A remote attacker could use this flaw to serve malicious content to an application using the clean_html() function to process HTML, possibly allowing the attacker to inject malicious code into a website generated by this application. This issue has been reported upstream at [2] and a patch is available at [3]. [1] http://seclists.org/fulldisclosure/2014/Apr/210 [2] https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html [3] https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
There are no < 16 current versions of lxml with 3 made stable. The most recently bumped has this patch in place. Just how do you suggest clean up in this instance? I see no reference to effected version are da da da da.
(In reply to Ian Delaney from comment #1) > There are no < 16 current versions of lxml with 3 made stable. The most > recently bumped has this patch in place. Just how do you suggest clean up > in this instance? I see no reference to effected version are da da da da. From the pages doing a search, it looks like all the previous versions other then dev-python/lxml-3.3.5 have this vulnerability. Without examining the code it looks like the stable versions: 3.3.0, 3.2.1, 3.0.1, and maybe even 2.3.4 are affected. If testing is sufficiently done, then we would stabilize 3.3.5, and during the cleanup stage remove all previous versions if there are no objections, or breaking of packages. This is a B4 bug which means by policy that we have 20 days to fix.
If testing is sufficiently done, Hmmm ok. Well you have some days left in the 20 to receive any further input re further testing. From here I see no reason not to go straight to making the only patched version lxml-3.3.5 stable and clean accordingly. Let's see if there are any who differ prior to CC'ing arches.
Sounds fine to me.
Arch teams please make stable lxml-3.3.5 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
(In reply to Ian Delaney from comment #5) > Arch teams please make stable lxml-3.3.5 > > alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 No. Do something like this: Arch teams, please test and mark stable: =dev-python/lxml-3.3.5 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
ppc64 stable
ia64 stable
sparc stable
arm stable
alpha stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Ian Delaney from comment #3) > If testing is sufficiently done, Hmmm ok. Well you have some days left in > the 20 to receive any further input re further testing. From here I see no > reason not to go straight to making the only patched version lxml-3.3.5 > stable and clean accordingly. Let's see if there are any who differ prior > to CC'ing arches. Ok We have been stable for 20+ days .. I see no bugs files. So lets clean up as per this comment please. Maintainer(s), please drop the vulnerable version.
CVE-2014-3146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3146): Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
Maintainer(s), Thank you for cleanup! GLSA Vote: No
GLSA vote: no. Closing as [noglsa]