Debian Bug report logs -
#746812
python-lxml: CVE-2014-3146: clean_html input sanitization flaw
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 3 May 2014 21:24:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version lxml/2.2.8-2
Fixed in versions lxml/3.3.5-1, lxml/2.3.2-1+deb7u1
Done: Moritz Mühlenhoff <jmm@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthias Klose <doko@debian.org>
:
Bug#746812
; Package src:lxml
.
(Sat, 03 May 2014 21:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthias Klose <doko@debian.org>
.
(Sat, 03 May 2014 21:24:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lxml
Severity: important
Tags: security upstream fixed-upstream
Hi
It was found that the clean_html() function does not properly clean
HTML input if it includes non-printed characters (\x01-\x08). For
detail see [1], [2] and [3].
[1] http://seclists.org/fulldisclosure/2014/Apr/210
[2] https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1092613
Upstream has released a new version (3.3.5)[4] and the corresponding
commit it as [5].
[4] http://lxml.de/3.3/changes-3.3.5.html
[5] https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc
Regards,
Salvatore
Marked as found in versions lxml/2.2.8-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 03 May 2014 21:39:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#746812
; Package src:lxml
.
(Sat, 10 May 2014 06:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(Sat, 10 May 2014 06:39:04 GMT) (full text, mbox, link).
Message #12 received at 746812@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 python-lxml: CVE-2014-3146: clean_html input sanitization flaw
Hi
CVE-2014-3146 was assigned for this issue[1].
[1] http://www.openwall.com/lists/oss-security/2014/05/09/7
Regards,
Salvatore
Changed Bug title to 'python-lxml: CVE-2014-3146: clean_html input sanitization flaw' from 'python-lxml: clean_html input sanitization flaw'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 746812-submit@bugs.debian.org
.
(Sat, 10 May 2014 06:39:04 GMT) (full text, mbox, link).
Marked as fixed in versions lxml/3.3.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 18 May 2014 20:06:08 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 18 May 2014 20:06:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 18 May 2014 20:06:10 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#746812.
(Sun, 18 May 2014 20:06:14 GMT) (full text, mbox, link).
Message #23 received at 746812-submitter@bugs.debian.org (full text, mbox, reply):
close 746812 3.3.5-1
thanks
Hi,
CVE-2014-3146 is fixed with the upstream 3.3.5 upload. Closing the bugreport
with the given version.
Regards,
Salvatore
Reply sent
to Moritz Mühlenhoff <jmm@debian.org>
:
You have taken responsibility.
(Wed, 04 Jun 2014 07:51:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 04 Jun 2014 07:51:19 GMT) (full text, mbox, link).
Message #28 received at 746812-close@bugs.debian.org (full text, mbox, reply):
Source: lxml
Source-Version: 2.3.2-1+deb7u1
We believe that the bug you reported is fixed in the latest version of
lxml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 746812@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated lxml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 23 May 2014 00:16:19 +0200
Source: lxml
Binary: python-lxml python-lxml-dbg python3-lxml python3-lxml-dbg python-lxml-doc
Architecture: source all amd64
Version: 2.3.2-1+deb7u1
Distribution: stable-security
Urgency: low
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Description:
python-lxml - pythonic binding for the libxml2 and libxslt libraries
python-lxml-dbg - pythonic binding for the libxml2 and libxslt libraries (debug ext
python-lxml-doc - pythonic binding for the libxml2 and libxslt libraries (documenta
python3-lxml - pythonic binding for the libxml2 and libxslt libraries
python3-lxml-dbg - pythonic binding for the libxml2 and libxslt libraries (debug ext
Closes: 746812
Changes:
lxml (2.3.2-1+deb7u1) stable-security; urgency=low
.
* CVE-2014-3146 (Closes: #746812)
Checksums-Sha1:
e8531dacae4623a93e8c554423afae548c3bff25 2070 lxml_2.3.2-1+deb7u1.dsc
86e5e0bbfcf3db49d06ce74cc9b0da35955cf12a 3134325 lxml_2.3.2.orig.tar.gz
99851298da8482530dd145fc7b47ed8cec0e2175 7238 lxml_2.3.2-1+deb7u1.diff.gz
9631eec2d1cbb2977a7f8e6a05803ee7dc9c4223 1614792 python-lxml-doc_2.3.2-1+deb7u1_all.deb
6ce0469c34f10da32af8f756e28adb31c5a689e7 1238326 python-lxml_2.3.2-1+deb7u1_amd64.deb
23b3a138d0b5432cd5866a6d94d7b32fb1c226ff 4983212 python-lxml-dbg_2.3.2-1+deb7u1_amd64.deb
a21d2ce24d0ce8647215c26d94c85c6d61cdf3a9 684714 python3-lxml_2.3.2-1+deb7u1_amd64.deb
80c75b1814e06d22d88b3e18255d25f1286493a1 2507566 python3-lxml-dbg_2.3.2-1+deb7u1_amd64.deb
Checksums-Sha256:
f7b67c9f64a599015ec47f1ad75539cb33e81a02021314cdfb61291b507f2b43 2070 lxml_2.3.2-1+deb7u1.dsc
32bf688a03d18caa74840764727e8fa29bb29950f7a190a0b969150a3869a6a1 3134325 lxml_2.3.2.orig.tar.gz
383a9a740f89a28b3834b98d3ff0426973bfa095c63fd38d9cfccd424ff0d1ab 7238 lxml_2.3.2-1+deb7u1.diff.gz
41a182fb35d3c597fa37d2cdf75a728bdf33c563258164063d4e045fde920793 1614792 python-lxml-doc_2.3.2-1+deb7u1_all.deb
ba3ca620d59bba2d50f61d895a2b0c9258a68763801828e44d75f00ad78dada8 1238326 python-lxml_2.3.2-1+deb7u1_amd64.deb
84c74c4706b34ab12cd6778679b7e7d1594e6aff0595adb82b1ce1c581ba918d 4983212 python-lxml-dbg_2.3.2-1+deb7u1_amd64.deb
688266fb708568878268f28d9abfada9551f9788287f48b07c5c7aba0be4a8b2 684714 python3-lxml_2.3.2-1+deb7u1_amd64.deb
64924f44a9f4225b1e0d7119ae764914f1bf0603cba2b686caa95caaf81607ca 2507566 python3-lxml-dbg_2.3.2-1+deb7u1_amd64.deb
Files:
355e8cc5406853bd2248ff3ba3081e50 2070 python optional lxml_2.3.2-1+deb7u1.dsc
50ed3706da4665c40600fd6e2a7d1159 3134325 python optional lxml_2.3.2.orig.tar.gz
dee721eb9c239807c2220b18d691b0d6 7238 python optional lxml_2.3.2-1+deb7u1.diff.gz
e314ac51884734a5295dc0a866559d55 1614792 doc extra python-lxml-doc_2.3.2-1+deb7u1_all.deb
a99e34f7241e4f9cd850d9375bbb82bc 1238326 python optional python-lxml_2.3.2-1+deb7u1_amd64.deb
d6ce713bcbd28077701e8747f9a3c347 4983212 debug extra python-lxml-dbg_2.3.2-1+deb7u1_amd64.deb
fb2f892eeb00c60d2e4d692497f95474 684714 python optional python3-lxml_2.3.2-1+deb7u1_amd64.deb
bc1b8c4aed483eda60f62baaf46b0df6 2507566 debug extra python3-lxml-dbg_2.3.2-1+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTiGAPAAoJEBDCk7bDfE4255IQAIo8H1vbA1qJ/fdx9uV8xx3P
hh4Q2Z9Qaqgd8GAeolQv2wFlRcim0pnrKH0GFfeeUr24ogLfD1pgBfCQJnVZyt6K
5O7Bd6FSkTOp5F/IxX/I1mtol8MpPmqW8ZybmYanmka+KyRuktmrUchfs+N+5bCB
fCEgyjjTvBV5y823q0W0xqn2RbcAj0SaXUG5QJGwPtYzJp85+SgNkgwm/52iabi2
PT6H5epVPGbkEOyzYR23UsDAOeIb0l4h9iG9n/C5vduEpDkeGYDT8Dyn1UgoFGnn
N2fhpYUfZnUrDdVA3rTD+d0u3XV5tnYO+qTZXbOylBKBHAi/HKwKoVlnT/GhdUK5
kZ3ygzVe72k/eZfN1nsVB6Jz6IwzSpju/Jz6mRSR498lIEB0ACXgLMh+u3yD1UAl
l2a+h9MvQ9F0e1hX+0DNKby7rtNA4Yc4hv7T/t0/rwb9wUf0TjRt67tOiK+Cws5R
iSgNhpIo6taDd9jtUnEcaaWXr4to2ftwh4jCYwgRRPlWiDzhHYXMSzwmyZ1LTtQf
4P6Owyzl8aEQmRtEQMpGIvKYTM2FKYTAmECG3oKRMaDOQ3wc0B/cUJ6ADnsb/L98
lzCqrbQENOp6b6JOVcHXqlWFE+Hkl7IUttwHOGInWcfYcNwmGBIRp9zjEfapjAXH
9CWN+2alhTiDY58XO5ss
=yVwg
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 03 Jul 2014 07:26:01 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:53:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.