PublicDateAtUSN: 2014-05-14
Candidate: CVE-2014-3146
PublicDate: 2014-05-14 19:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3146
 http://lxml.de/3.3/changes-3.3.5.html
 http://seclists.org/fulldisclosure/2014/Apr/210
 https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
 http://www.openwall.com/lists/oss-security/2014/05/09/7
 http://secunia.com/advisories/58013
 http://seclists.org/fulldisclosure/2014/Apr/319
 https://ubuntu.com/security/notices/USN-2217-1
Description:
 Incomplete blacklist vulnerability in the lxml.html.clean module in lxml
 before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS)
 attacks via control characters in the link scheme to the clean_html
 function.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746812
 https://bugs.launchpad.net/ubuntu/+source/lxml/+bug/1319603
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_lxml:
 upstream: https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc
upstream_lxml: released (3.3.5)
lucid_lxml: ignored (reached end-of-life)
precise_lxml: released (2.3.2-1ubuntu0.2)
quantal_lxml: ignored (reached end-of-life)
saucy_lxml: released (3.2.0-1ubuntu0.1)
trusty_lxml: released (3.3.3-1ubuntu0.1)
trusty/esm_lxml: released (3.3.3-1ubuntu0.1)
devel_lxml: not-affected (3.3.5-1)