Bugzilla – Bug 1193752
VUL-0: CVE-2021-43818: python-lxml: HTML Cleaner allows crafted and SVG embedded scripts to pass through
Last modified: 2022-10-21 07:48:55 UTC
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. References: https://bugzilla.redhat.com/show_bug.cgi?id=2032569 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43818 https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776 https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43818 https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8 https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
Affected packages: - SUSE:Carwos:1/python-lxml 4.4.2 - SUSE:SLE-11-SP3:Update/python-lxml 2.3.6 - SUSE:SLE-11:Update/python-lxml 2.1.2 - SUSE:SLE-12-SP2:Update/python-lxml 3.6.1 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-lxml 4.2.4 - SUSE:SLE-15-SP2:Update/python-lxml 4.4.2 - SUSE:SLE-15:Update/python-lxml 4.0.0 - openSUSE:Factory/python-lxml 4.6.4 Upstream patches: https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0 https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776 https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
This is an autogenerated message for OBS integration: This bug (1193752) was mentioned in https://build.opensuse.org/request/show/943802 Factory / python-lxml
I've discussed it with the maintenance team and updated the package for SUSE:SLE-15-SP2:Update to 4.7.1 a few days ago. It was accepted: https://build.suse.de/request/show/263873 CVE-2021-43818 was fixed in version 4.6.5 which is included in the above version. :) I'm not entirely sure which channels get triggered by this. Also SUSE:SLE-11:Update/python-lxml and SUSE:SLE-11-SP3:Update/python-lxml looks quite old. The general support has already ended since 31 Mar 2019.
Thanks Gabriele! No problem. :) I've tried to update SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-lxml to 4.7.1 but currently struggleing with the tests. I get this message: ----- [ 2s] Building lxml version 4.7.1. [ 2s] Building with Cython 0.28.4. [ 2s] Building against libxml2 2.9.4 and libxslt 1.1.28 ... [ 54s] + /usr/bin/python3 setup.py build '--executable=/usr/bin/python3 -s' --with-cython [ 54s] This lxml version requires Python 2.7, 3.5 or later. ----- As far as I can see, there was also no Python3 package for the above repo. So I've tried it to explicitly add a line with "%define skip_python3 1", but without success. I could remove the tests, but it would be nice to keep consistent SPEC files if possible. Any hints?
openSUSE-SU-2022:0803-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1118088,1179534,1184177,1193752 CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-43818 JIRA References: Sources used: openSUSE Leap 15.4 (src): python-lxml-4.7.1-3.7.1 openSUSE Leap 15.3 (src): python-lxml-4.7.1-3.7.1
SUSE-SU-2022:0803-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1118088,1179534,1184177,1193752 CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-43818 JIRA References: Sources used: SUSE Manager Server 4.1 (src): python-lxml-4.7.1-3.7.1 SUSE Manager Retail Branch Server 4.1 (src): python-lxml-4.7.1-3.7.1 SUSE Manager Proxy 4.1 (src): python-lxml-4.7.1-3.7.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): python-lxml-4.7.1-3.7.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): python-lxml-4.7.1-3.7.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): python-lxml-4.7.1-3.7.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): python-lxml-4.7.1-3.7.1 SUSE Linux Enterprise Module for Python2 15-SP3 (src): python-lxml-4.7.1-3.7.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): python-lxml-4.7.1-3.7.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): python-lxml-4.7.1-3.7.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): python-lxml-4.7.1-3.7.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): python-lxml-4.7.1-3.7.1 SUSE Enterprise Storage 7 (src): python-lxml-4.7.1-3.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0895-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1118088,1179534,1184177,1193752 CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-43818 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): python-lxml-3.6.1-8.5.1 SUSE OpenStack Cloud 8 (src): python-lxml-3.6.1-8.5.1 SUSE Linux Enterprise Server 12-SP5 (src): python-lxml-3.6.1-8.5.1 HPE Helion Openstack 8 (src): python-lxml-3.6.1-8.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SR with the update for the Salt Bundle was created: https://build.opensuse.org/request/show/966354
SUSE-SU-2022:1729-1: An update that solves 17 vulnerabilities, contains two features and has one errata is now available. Category: security (important) Bug References: 1118088,1179534,1184177,1186380,1189390,1189794,1192070,1192073,1192075,1193597,1193688,1193752,1194521,1194551,1194552,1194952,1194954,1199138 CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-38155,CVE-2021-40085,CVE-2021-41182,CVE-2021-41183,CVE-2021-41184,CVE-2021-43813,CVE-2021-43818,CVE-2021-44716,CVE-2022-22815,CVE-2022-22816,CVE-2022-22817,CVE-2022-23451,CVE-2022-23452,CVE-2022-29970 JIRA References: SOC-11620,SOC-11621 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, rubygem-sinatra-1.4.6-4.3.1 SUSE OpenStack Cloud 9 (src): ardana-barbican-9.0+git.1644879908.8a641c1-3.13.1, grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, venv-openstack-barbican-7.0.1~dev24-3.35.2, venv-openstack-cinder-13.0.10~dev24-3.38.1, venv-openstack-designate-7.0.2~dev2-3.35.1, venv-openstack-glance-17.0.1~dev30-3.33.1, venv-openstack-heat-11.0.4~dev4-3.35.1, venv-openstack-horizon-14.1.1~dev11-4.39.1, venv-openstack-ironic-11.1.5~dev18-4.33.1, venv-openstack-keystone-14.2.1~dev9-3.36.1, venv-openstack-magnum-7.2.1~dev1-4.35.1, venv-openstack-manila-7.4.2~dev60-3.41.1, venv-openstack-monasca-2.7.1~dev10-3.37.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.35.1, venv-openstack-neutron-13.0.8~dev206-6.39.1, venv-openstack-nova-18.3.1~dev91-3.39.1, venv-openstack-octavia-3.2.3~dev7-4.35.1, venv-openstack-sahara-9.0.2~dev15-3.35.1, venv-openstack-swift-2.19.2~dev48-2.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.