Mageia Advisory: MGASA-2014-0218 - Updated python-lxml package fix CVE-2014-3146

Updated python-lxml package fix CVE-2014-3146

Publication date: 14 May 2014
Modification date: 14 May 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3146

Description

Updated python-lxml packages fix security vulnerability:

The clean_html() function, provided by the lxml.html.clean module, did not
properly clean HTML input if it included non-printed characters (\x01-\x08).
A remote attacker could use this flaw to serve malicious content to an
application using the clean_html() function to process HTML, possibly
allowing the attacker to inject malicious code into a website generated by
this application (CVE-2014-3146).

References

https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132472.html
https://bugs.mageia.org/show_bug.cgi?id=13326
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3146

SRPMS

3/core

python-lxml-3.0.1-2.1.mga3

4/core

python-lxml-3.2.4-1.1.mga4

Advisories » MGASA-2014-0218

Updated python-lxml package fix CVE-2014-3146

Description

References

SRPMS

3/core

4/core