All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/python-lxml: security bump to version 4.6.3
@ 2021-03-29 20:33 Fabrice Fontaine
  2021-03-30  6:18 ` Peter Korsgaard
  2021-04-03 10:17 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2021-03-29 20:33 UTC (permalink / raw)
  To: buildroot

Fix CVE-2021-28957: lxml 4.6.2 allows XSS. It places the HTML action
attribute into defs.link_attrs (in html/defs.py) for later use in input
sanitization, but does not do the same for the HTML5 formaction
attribute.

https://github.com/lxml/lxml/blob/lxml-4.6.3/CHANGES.txt

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/python-lxml/python-lxml.hash | 2 +-
 package/python-lxml/python-lxml.mk   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/python-lxml/python-lxml.hash b/package/python-lxml/python-lxml.hash
index 7918e08745..dd6446e6cc 100644
--- a/package/python-lxml/python-lxml.hash
+++ b/package/python-lxml/python-lxml.hash
@@ -1,5 +1,5 @@
 # Locally computed
-sha256  cd11c7e8d21af997ee8079037fff88f16fda188a9776eb4b81c7e4c9c0a7d7fc  lxml-4.6.2.tar.gz
+sha256  39b78571b3b30645ac77b95f7c69d1bffc4cf8c3b157c435a34da72e78c82468  lxml-4.6.3.tar.gz
 sha256  41d49dd406aa0e1548a6d5f21a30d6bf638b3cd96eb7289dd348d83ed2e40392  LICENSES.txt
 sha256  69edb445c1335a8312d4c09271847e9956d84f0d9f724d125340cc3fad767b2a  doc/licenses/BSD.txt
 sha256  0497ae8138811ef4466ede653bab7a59feb3d3c14f9ed50fc33a00aeb5bec32e  doc/licenses/elementtree.txt
diff --git a/package/python-lxml/python-lxml.mk b/package/python-lxml/python-lxml.mk
index fe99f82472..0d3775a1bd 100644
--- a/package/python-lxml/python-lxml.mk
+++ b/package/python-lxml/python-lxml.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-PYTHON_LXML_VERSION = 4.6.2
-PYTHON_LXML_SITE = https://files.pythonhosted.org/packages/db/f7/43fecb94d66959c1e23aa53d6161231dca0e93ec500224cf31b3c4073e37
+PYTHON_LXML_VERSION = 4.6.3
+PYTHON_LXML_SITE = https://files.pythonhosted.org/packages/e5/21/a2e4517e3d216f0051687eea3d3317557bde68736f038a3b105ac3809247
 PYTHON_LXML_SOURCE = lxml-$(PYTHON_LXML_VERSION).tar.gz
 
 # Not including the GPL, because it is used only for the test scripts.
-- 
2.30.2

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/python-lxml: security bump to version 4.6.3
  2021-03-29 20:33 [Buildroot] [PATCH 1/1] package/python-lxml: security bump to version 4.6.3 Fabrice Fontaine
@ 2021-03-30  6:18 ` Peter Korsgaard
  2021-04-03 10:17 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-03-30  6:18 UTC (permalink / raw)
  To: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix CVE-2021-28957: lxml 4.6.2 allows XSS. It places the HTML action
 > attribute into defs.link_attrs (in html/defs.py) for later use in input
 > sanitization, but does not do the same for the HTML5 formaction
 > attribute.

 > https://github.com/lxml/lxml/blob/lxml-4.6.3/CHANGES.txt

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/python-lxml: security bump to version 4.6.3
  2021-03-29 20:33 [Buildroot] [PATCH 1/1] package/python-lxml: security bump to version 4.6.3 Fabrice Fontaine
  2021-03-30  6:18 ` Peter Korsgaard
@ 2021-04-03 10:17 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-04-03 10:17 UTC (permalink / raw)
  To: buildroot

>>>>> "fontaine.fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix CVE-2021-28957: lxml 4.6.2 allows XSS. It places the HTML action
 > attribute into defs.link_attrs (in html/defs.py) for later use in input
 > sanitization, but does not do the same for the HTML5 formaction
 > attribute.

 > https://github.com/lxml/lxml/blob/lxml-4.6.3/CHANGES.txt

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2020.02.x, 2020.11.x and 2021.02.x, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-03 10:17 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-29 20:33 [Buildroot] [PATCH 1/1] package/python-lxml: security bump to version 4.6.3 Fabrice Fontaine
2021-03-30  6:18 ` Peter Korsgaard
2021-04-03 10:17 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.