Errata overview
Errata ID 563
Date 2018-12-12
Source package lxml
Fixed in version 3.4.0-1+deb8u1
This update addresses the following issues:
* An issue was discovered in lxml: the lxml.html.clean module does not remove
  javascript: URLs that use escaping, allowing a remote attacker to conduct
  XSS attacks. This is a similar issue to CVE-2014-3146. (CVE-2018-19787)
Additional notes
CVE ID CVE-2018-19787
UCS Bug number #48308