From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] package/python-lxml: security bump to version 4.6.2
Date: Mon, 14 Dec 2020 00:01:52 +0100 [thread overview]
Message-ID: <20201213230152.5819-1-peter@korsgaard.com> (raw)
Fixes the following security issues:
* 4.6.2: A vulnerability (CVE-2020-27783) was discovered in the HTML Cleaner
by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner now
removes more sneaky "style" content.
* 4.6.1: A vulnerability was discovered in the HTML Cleaner by Yaniv Nizry,
which allowed JavaScript to pass through. The cleaner now removes more
sneaky "style" content.
For more details, see the changes file:
https://github.com/lxml/lxml/blob/lxml-4.6.2/CHANGES.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python-lxml/python-lxml.hash | 2 +-
package/python-lxml/python-lxml.mk | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/python-lxml/python-lxml.hash b/package/python-lxml/python-lxml.hash
index 240314e888..7918e08745 100644
--- a/package/python-lxml/python-lxml.hash
+++ b/package/python-lxml/python-lxml.hash
@@ -1,5 +1,5 @@
# Locally computed
-sha256 27ee0faf8077c7c1a589573b1450743011117f1aa1a91d5ae776bbc5ca6070f2 lxml-4.5.1.tar.gz
+sha256 cd11c7e8d21af997ee8079037fff88f16fda188a9776eb4b81c7e4c9c0a7d7fc lxml-4.6.2.tar.gz
sha256 41d49dd406aa0e1548a6d5f21a30d6bf638b3cd96eb7289dd348d83ed2e40392 LICENSES.txt
sha256 69edb445c1335a8312d4c09271847e9956d84f0d9f724d125340cc3fad767b2a doc/licenses/BSD.txt
sha256 0497ae8138811ef4466ede653bab7a59feb3d3c14f9ed50fc33a00aeb5bec32e doc/licenses/elementtree.txt
diff --git a/package/python-lxml/python-lxml.mk b/package/python-lxml/python-lxml.mk
index 7e727a6753..a8874737e2 100644
--- a/package/python-lxml/python-lxml.mk
+++ b/package/python-lxml/python-lxml.mk
@@ -4,8 +4,8 @@
#
################################################################################
-PYTHON_LXML_VERSION = 4.5.1
-PYTHON_LXML_SITE = https://files.pythonhosted.org/packages/03/a8/73d795778143be51d8b86750b371b3efcd7139987f71618ad9f4b8b65543
+PYTHON_LXML_VERSION = 4.6.2
+PYTHON_LXML_SITE = https://files.pythonhosted.org/packages/db/f7/43fecb94d66959c1e23aa53d6161231dca0e93ec500224cf31b3c4073e37
PYTHON_LXML_SOURCE = lxml-$(PYTHON_LXML_VERSION).tar.gz
# Not including the GPL, because it is used only for the test scripts.
--
2.20.1
next reply other threads:[~2020-12-13 23:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-13 23:01 Peter Korsgaard [this message]
2020-12-14 14:46 ` [Buildroot] [PATCH] package/python-lxml: security bump to version 4.6.2 Peter Korsgaard
2020-12-21 13:42 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201213230152.5819-1-peter@korsgaard.com \
--to=peter@korsgaard.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox