Debian 10260 Published by

A lxml security update has been released for Debian GNU/Linux 8 Extended LTS to address cross-site scripting or possibly the execution of arbitrary code.



ELA-323-1 lxml security update

Package lxml
Version 3.4.0-1+deb8u2
Related CVEs CVE-2018-19787 CVE-2020-27783
It was discovered that the clean_html() function of lxml, a Python library for HTML and XML processing, performed insufficient sanitisation for embedded Javascript code. This could lead to cross-site scripting or possibly the execution of arbitrary code.

For Debian 8 jessie, these problems have been fixed in version 3.4.0-1+deb8u2.

We recommend that you upgrade your lxml packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-323-1 lxml security update