Candidate: CVE-2016-9909
PublicDate: 2017-02-22 16:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9909
 https://www.sourceclear.com/registry/security/cross-site-scripting-xss-/python/sid-3068
 http://www.openwall.com/lists/oss-security/2016/12/06/5
 https://github.com/html5lib/html5lib-python/issues/11
 https://github.com/html5lib/html5lib-python/issues/12
Description:
 The serializer in html5lib before 0.99999999 might allow remote attackers
 to conduct cross-site scripting (XSS) attacks by leveraging mishandling of
 the < (less than) character in attribute values.
Ubuntu-Description:
Notes:
 sbeattie> same commit as CVE-2016-9910
 sbeattie> fix changes externally visible api from True|False boolean to
   a ternary value, which will break users.
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]

Patches_html5lib:
 other: https://github.com/html5lib/html5lib-python/commit/9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7
upstream_html5lib: released (0.999999999-1)
precise_html5lib: ignored (reached end-of-life)
precise/esm_html5lib: DNE (precise was needed)
trusty_html5lib: ignored (reached end-of-life)
trusty/esm_html5lib: DNE (trusty was needed)
vivid/stable-phone-overlay_html5lib: DNE
vivid/ubuntu-core_html5lib: DNE
xenial_html5lib: ignored (end of standard support, was needed)
esm-infra/xenial_html5lib: needed
yakkety_html5lib: ignored (reached end-of-life)
zesty_html5lib: not-affected (0.999999999-1)
artful_html5lib: not-affected (0.999999999-1)
bionic_html5lib: not-affected (0.999999999-1)
cosmic_html5lib: not-affected (0.999999999-1)
disco_html5lib: not-affected (0.999999999-1)
eoan_html5lib: not-affected (0.999999999-1)
focal_html5lib: not-affected (0.999999999-1)
groovy_html5lib: not-affected (0.999999999-1)
hirsute_html5lib: not-affected (0.999999999-1)
impish_html5lib: not-affected (0.999999999-1)
jammy_html5lib: not-affected (0.999999999-1)
devel_html5lib: not-affected (0.999999999-1)