-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3715-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb January 23, 2024 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : jinja2 Version : 2.10-2+deb10u1 CVE ID : CVE-2024-22195 Debian Bug : 1060748 It was discovered that there was an injection attack in jinja2, a popular templating engine used in various Python applications. It was possible to inject arbitrary HTML attributes into rendered HTML via the "xmlattr" filter, potentially leading to a Cross-Site Scripting (XSS) attack. It may also have been possible to bypass attribute validation checks if they were blacklist-based. For Debian 10 buster, this problem has been fixed in version 2.10-2+deb10u1. We recommend that you upgrade your jinja2 packages. For the detailed security status of jinja2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jinja2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmWv734ACgkQHpU+J9Qx HljLLRAAsITnDZpY6xmezJMQiuGYc4yoEf8VFz+3XpoNWLZwbDiyx5TfadYH5Qcq /Qcc7webGCGgdT3RvfbzCG2vWWxfZINcnjDfFYbBvGvxxHimuDmeCEcd+CnIpCaq qxlvIg2/4p9L7ywPimNYHJOq78VC058f1D9hDep9tH72JRfoalGAk4xFShymoDaw XDRnnbfRPIHybzgXu2k0jGHcXTvL6YKCQaOhRUr93bEMwTtXzVOAL/+XLC4vcpJb 8Hd4RrpHPgM/roSfinSCzvqr94oaGHod+CeH4bkd64B7NZLZf2yZHjpnUVn00tWo fNr1j4sYBRn6NaLnwC2YBctaYjeZksoL0a5cpI388WaFBFdulGwh8lM2o/2gwfa1 yzeSdmBFWOCeGiu9AOg/QTycxk0M23rhCvurj7PR+YYdSNxLhNseUUYE7+qBLTME ujeF/F6rSRY1chG+Jb4+gWVFu0AXGYIiM4XtjmMJCz4mIoYaHCk8wWBpNGVA5kvJ LEFh6bop/bKmmbyAdwFqv1Rgcm2QwCngkUX1S7RYebtxeDerPTYkL+JkttU+kxLW rl9HIEPcTxIdL6dhD/9+4mHdbyQekgDmwpZhtCzaElqnhz9ymrZQYbBCvJh+g71j 8TwkIizfBIPRwmTCsHiIUGXth/nx/+Ga49QVYaaiX7/1YYTekT0= =iLr6 -----END PGP SIGNATURE-----