==========================================================================
Ubuntu Security Notice USN-4666-2
December 11, 2020
lxml vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 20.10
– Ubuntu 20.04 LTS
– Ubuntu 18.04 LTS
– Ubuntu 16.04 LTS
– Ubuntu 14.04 ESM
– Ubuntu 12.04 ESM
Summary:
lxml could allow cross-site scripting (XSS) attacks.
Software Description:
– lxml: pythonic binding for the libxml2 and libxslt librarie
Details:
USN-4666-1 partially fixed a vulnerability in lxml, but an additional patch was needed. This update provides
the corresponding additional patch in order to properly fix the vulnerability.
Original advisory details:
It was discovered that lxml incorrectly handled certain HTML.
An attacker could possibly use this issue to cross-site scripting (XSS) attacks.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
python3-lxml 4.5.2-1ubuntu0.3
Ubuntu 20.04 LTS:
python-lxml 4.5.0-1ubuntu0.2
python3-lxml 4.5.0-1ubuntu0.2
Ubuntu 18.04 LTS:
python-lxml 4.2.1-1ubuntu0.3
python3-lxml 4.2.1-1ubuntu0.3
Ubuntu 16.04 LTS:
python-lxml 3.5.0-1ubuntu0.3
python3-lxml 3.5.0-1ubuntu0.3
Ubuntu 14.04 ESM:
python-lxml 3.3.3-1ubuntu0.2+esm2
python3-lxml 3.3.3-1ubuntu0.2+esm2
Ubuntu 12.04 ESM:
python-lxml 2.3.2-1ubuntu0.5
python3-lxml 2.3.2-1ubuntu0.5
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4666-2
https://usn.ubuntu.com/4666-1
CVE-2020-27783
Package Information:
https://launchpad.net/ubuntu/+source/lxml/4.5.2-1ubuntu0.3
https://launchpad.net/ubuntu/+source/lxml/4.5.0-1ubuntu0.2
https://launchpad.net/ubuntu/+source/lxml/4.2.1-1ubuntu0.3
https://launchpad.net/ubuntu/+source/lxml/3.5.0-1ubuntu0.3
—–BEGIN PGP SIGNATURE—–
iQIzBAABCgAdFiEEf+ebRFcoyOoAQoOeRbznW4QLH2kFAl/SyOcACgkQRbznW4QL
H2km3BAAsvOzqktXf9sJEzBfAnxdMbfVjvm0xVHCo4oEeu/1GPVFy/I2DVaLcFm0
95uYVc/uP9eC/l5sli9MjSOqZDwOa+Z1hsMC4BTIoWtfHaAm1SIUDAgV5wQiKb87
VMuGRRR1Tv2oi8NqHOz3L8iSADi8HzgwvIPlBIgwWK2YsEdR3nPfdwrTjvtcWXCm
oiBePfTlkPUlxVX2qH7O19Txm4sd2miAHqPBEmU/0Am76DhZWw9kEKUKaBy1QxMI
a69zJQAKmD8J2YaPmh+yFFF7QIRESfb6au4Bdk6L8H48smp64vwQpBvKypSedwQW
fBUuWPcAFv6f7pfZX917bbju2fBfNqeYK44Mc2ScLIkQy2s73rTRe5gq6ZUhyar0
x48Pptz25UEbmbIluNoWtMtFc22el4pauD9a0N0RZFw2/u6/lpLQOAgmqvNiF5Wv
oF5ukTUz9gh9+mZhc5StKoiUu/M4Z+QTkIWyl8XlI+pnAZco2MXnM6AY/eKL6LVr
meqr2Qy+O01Acq9KZl+u8zMuWsT3sC3dS9gm5WiP1ju8CzIz2IhR3ozqcg5oYHgx
/jgYrdHpjDTrcr5De3C6QMnSlkv4vOBW05oiA170hEXo8kpWxfOSpfo2k000MPEs
EIZ09iutpsh0jmKHj43QCUxTwRhbVoHU08pz/v4YsLATtagjw+U=
=/h/b
—–END PGP SIGNATURE—–
—