ALT-BU-2022-3926-4
Branch sisyphus update bulletin.
Package python3-module-lxml updated to version 4.7.1-alt1 for branch sisyphus in task 294772.
Closed vulnerabilities
Modified: 2025-11-26
BDU:2022-00756
Уязвимость реализации модуля Class Cleaner библиотеки для обработки разметки XML и HTML Lxml, позволяющая нарушителю осуществлять межсайтовые сценарные атаки
Modified: 2024-11-21
CVE-2021-43818
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
- https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
- https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
- https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
- https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
- https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
- https://security.gentoo.org/glsa/202208-06
- https://security.netapp.com/advisory/ntap-20220107-0005/
- https://www.debian.org/security/2022/dsa-5043
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
- https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
- https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
- https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
- https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
- https://security.gentoo.org/glsa/202208-06
- https://security.netapp.com/advisory/ntap-20220107-0005/
- https://www.debian.org/security/2022/dsa-5043
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Modified: 2024-09-30
GHSA-55x5-fj6c-h6m8
lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through
- https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
- https://nvd.nist.gov/vuln/detail/CVE-2021-43818
- https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
- https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
- https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.debian.org/security/2022/dsa-5043
- https://security.netapp.com/advisory/ntap-20220107-0005
- https://security.gentoo.org/glsa/202208-06
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7
- https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
- https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2021-852.yaml
- https://github.com/lxml/lxml
Closed vulnerabilities
Modified: 2024-09-13
BDU:2022-00703
Уязвимость компонента Pointer Lock браузера Google Chrome, позволяющая нарушителю получить доступ к конфиденциальной информации
Modified: 2024-04-03
BDU:2022-00793
Уязвимость компонента Thumbnail Tab Strip браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
Modified: 2024-04-03
BDU:2022-00794
Уязвимость компонента Cast браузера Google Chrome, позволяющая нарушителю получить доступ к конфиденциальной информации
Modified: 2024-04-03
BDU:2022-00795
Уязвимость расширений Extensions браузера Google Chrome, позволяющая нарушителю получить доступ к конфиденциальной информации
Modified: 2024-04-03
BDU:2022-00796
Уязвимость компонента Accessibility браузера Google Chrome, позволяющая нарушителю получить доступ к конфиденциальной информации
Modified: 2024-09-30
BDU:2022-00797
Уязвимость компонента Web Search браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
Modified: 2024-04-03
BDU:2022-00798
Уязвимость компонента Payments браузера Google Chrome, позволяющая нарушителю получить доступ к конфиденциальной информации
Modified: 2024-04-03
BDU:2022-00799
Уязвимость компонента Extensions Platform браузера Google Chrome, позволяющая нарушителю получить доступ к конфиденциальной информации
Modified: 2024-09-13
BDU:2022-00810
Уязвимость обработчика JavaScript-сценариев V8 браузера Google Chrome, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-04-03
BDU:2022-00812
Уязвимость обработчика JavaScript-сценариев V8 браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
Modified: 2024-04-03
BDU:2022-00813
Уязвимость режима чтения Reader Mode браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
Modified: 2024-04-03
BDU:2022-00816
Уязвимость функции захват экрана (Screen Capture) браузера Google Chrome, позволяющая нарушителю получить доступ к конфиденциальной информации
Modified: 2024-04-03
BDU:2022-00817
Уязвимость компонента COOP браузера Google Chrome, позволяющая нарушителю получить доступ к конфиденциальной информации
Modified: 2024-04-03
BDU:2022-00818
Уязвимость компонента Accessibility браузера Google Chrome, позволяющая нарушителю получить доступ к конфиденциальной информации
Modified: 2024-04-03
BDU:2022-00819
Уязвимость компонента Scroll браузера Google Chrome, позволяющая нарушителю получить доступ к конфиденциальной информации или вызвать отказ в обслуживании
Modified: 2024-04-03
BDU:2022-00844
Уязвимость компонента Window Dialog браузеров Microsoft Edge и Google Chrome, позволяющая нарушителю получить доступ к конфиденциальной информации
Modified: 2024-11-21
CVE-2022-0452
Use after free in Safe Browsing in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0453
Use after free in Reader Mode in Google Chrome prior to 98.0.4758.80 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0454
Heap buffer overflow in ANGLE in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0455
Inappropriate implementation in Full Screen Mode in Google Chrome on Android prior to 98.0.4758.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0456
Use after free in Web Search in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via profile destruction.
Modified: 2024-11-21
CVE-2022-0457
Type confusion in V8 in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0458
Use after free in Thumbnail Tab Strip in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0459
Use after free in Screen Capture in Google Chrome prior to 98.0.4758.80 allowed a remote attacker who had compromised the renderer process and convinced a user to engage in specific user interaction to potentially exploit heap corruption via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0460
Use after free in Window Dialogue in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0461
Policy bypass in COOP in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to bypass iframe sandbox via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0462
Inappropriate implementation in Scroll in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0463
Use after free in Accessibility in Google Chrome prior to 98.0.4758.80 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via user interaction.
Modified: 2024-11-21
CVE-2022-0464
Use after free in Accessibility in Google Chrome prior to 98.0.4758.80 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via user interaction.
Modified: 2024-11-21
CVE-2022-0465
Use after free in Extensions in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via user interaction.
Modified: 2024-11-21
CVE-2022-0466
Inappropriate implementation in Extensions Platform in Google Chrome prior to 98.0.4758.80 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0467
Inappropriate implementation in Pointer Lock in Google Chrome on Windows prior to 98.0.4758.80 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0468
Use after free in Payments in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0469
Use after free in Cast in Google Chrome prior to 98.0.4758.80 allowed a remote attacker who convinced a user to engage in specific interactions to potentially exploit heap corruption via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-0470
Out of bounds memory access in V8 in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Modified: 2024-11-21
CVE-2022-4025
Inappropriate implementation in Paint in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to leak cross-origin data outside an iframe via a crafted HTML page. (Chrome security severity: Low)
Package libguestfs updated to version 1.46.2-alt2 for branch sisyphus in task 294796.
Closed bugs
ошибка запуска виртуальной машины при использовании guestmount
Package python3-module-httplib2 updated to version 0.20.4-alt1 for branch sisyphus in task 294802.
Closed bugs
httplib2/auth.py: module 'pyparsing' has no attribute 'downcaseTokens'