* [Buildroot] [git commit branch/2020.11.x] package/python-lxml: security bump to version 4.6.3
@ 2021-04-03 10:17 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2021-04-03 10:17 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=f1865e67499347d47ef793bfe9f2d7f8ff8d736d
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2020.11.x
Fix CVE-2021-28957: lxml 4.6.2 allows XSS. It places the HTML action
attribute into defs.link_attrs (in html/defs.py) for later use in input
sanitization, but does not do the same for the HTML5 formaction
attribute.
https://github.com/lxml/lxml/blob/lxml-4.6.3/CHANGES.txt
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9d678ed1de2dec9896730c62d2240583bdda71c0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python-lxml/python-lxml.hash | 2 +-
package/python-lxml/python-lxml.mk | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/python-lxml/python-lxml.hash b/package/python-lxml/python-lxml.hash
index 7918e08745..dd6446e6cc 100644
--- a/package/python-lxml/python-lxml.hash
+++ b/package/python-lxml/python-lxml.hash
@@ -1,5 +1,5 @@
# Locally computed
-sha256 cd11c7e8d21af997ee8079037fff88f16fda188a9776eb4b81c7e4c9c0a7d7fc lxml-4.6.2.tar.gz
+sha256 39b78571b3b30645ac77b95f7c69d1bffc4cf8c3b157c435a34da72e78c82468 lxml-4.6.3.tar.gz
sha256 41d49dd406aa0e1548a6d5f21a30d6bf638b3cd96eb7289dd348d83ed2e40392 LICENSES.txt
sha256 69edb445c1335a8312d4c09271847e9956d84f0d9f724d125340cc3fad767b2a doc/licenses/BSD.txt
sha256 0497ae8138811ef4466ede653bab7a59feb3d3c14f9ed50fc33a00aeb5bec32e doc/licenses/elementtree.txt
diff --git a/package/python-lxml/python-lxml.mk b/package/python-lxml/python-lxml.mk
index a8874737e2..5aa2b86633 100644
--- a/package/python-lxml/python-lxml.mk
+++ b/package/python-lxml/python-lxml.mk
@@ -4,8 +4,8 @@
#
################################################################################
-PYTHON_LXML_VERSION = 4.6.2
-PYTHON_LXML_SITE = https://files.pythonhosted.org/packages/db/f7/43fecb94d66959c1e23aa53d6161231dca0e93ec500224cf31b3c4073e37
+PYTHON_LXML_VERSION = 4.6.3
+PYTHON_LXML_SITE = https://files.pythonhosted.org/packages/e5/21/a2e4517e3d216f0051687eea3d3317557bde68736f038a3b105ac3809247
PYTHON_LXML_SOURCE = lxml-$(PYTHON_LXML_VERSION).tar.gz
# Not including the GPL, because it is used only for the test scripts.
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-04-03 10:17 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-03 10:17 [Buildroot] [git commit branch/2020.11.x] package/python-lxml: security bump to version 4.6.3 Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.