Bug#1027149: jython: CVE-2019-16935
Moritz Mühlenhoff
jmm at inutil.org
Wed Dec 28 17:34:03 GMT 2022
Source: jython
X-Debbugs-CC: team at security.debian.org
Severity: normal
Tags: security
Hi,
This also affects Jython:
CVE-2019-16935[0]:
| The documentation XML-RPC server in Python through 2.7.16, 3.x through
| 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field.
| This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in
| Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with
| untrusted input, arbitrary JavaScript can be delivered to clients that
| visit the http URL for this server.
The fix in cpython was:
https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16935
https://www.cve.org/CVERecord?id=CVE-2019-16935
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list