Source: jython X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security
Hi, This also affects Jython: CVE-2019-16935[0]: | The documentation XML-RPC server in Python through 2.7.16, 3.x through | 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. | This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in | Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with | untrusted input, arbitrary JavaScript can be delivered to clients that | visit the http URL for this server. The fix in cpython was: https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16935 https://www.cve.org/CVERecord?id=CVE-2019-16935 Please adjust the affected versions in the BTS as needed. __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
