aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Fabrice Fontaine <fontaine.fabrice@gmail.com>2021-03-29 22:33:41 +0200
committerGravatar Peter Korsgaard <peter@korsgaard.com>2021-03-30 08:18:21 +0200
commit9d678ed1de2dec9896730c62d2240583bdda71c0 (patch)
treeea0a81cefb76187b623319c6a5a3ba9f78a0878d
parentf06339f3fcd309c70cfd4d0b3510ad3a3916e0df (diff)
downloadbuildroot-9d678ed1de2dec9896730c62d2240583bdda71c0.tar.gz
buildroot-9d678ed1de2dec9896730c62d2240583bdda71c0.tar.bz2
package/python-lxml: security bump to version 4.6.3
Fix CVE-2021-28957: lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute. https://github.com/lxml/lxml/blob/lxml-4.6.3/CHANGES.txt Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-rw-r--r--package/python-lxml/python-lxml.hash2
-rw-r--r--package/python-lxml/python-lxml.mk4
2 files changed, 3 insertions, 3 deletions
diff --git a/package/python-lxml/python-lxml.hash b/package/python-lxml/python-lxml.hash
index 7918e08745..dd6446e6cc 100644
--- a/package/python-lxml/python-lxml.hash
+++ b/package/python-lxml/python-lxml.hash
@@ -1,5 +1,5 @@
# Locally computed
-sha256 cd11c7e8d21af997ee8079037fff88f16fda188a9776eb4b81c7e4c9c0a7d7fc lxml-4.6.2.tar.gz
+sha256 39b78571b3b30645ac77b95f7c69d1bffc4cf8c3b157c435a34da72e78c82468 lxml-4.6.3.tar.gz
sha256 41d49dd406aa0e1548a6d5f21a30d6bf638b3cd96eb7289dd348d83ed2e40392 LICENSES.txt
sha256 69edb445c1335a8312d4c09271847e9956d84f0d9f724d125340cc3fad767b2a doc/licenses/BSD.txt
sha256 0497ae8138811ef4466ede653bab7a59feb3d3c14f9ed50fc33a00aeb5bec32e doc/licenses/elementtree.txt
diff --git a/package/python-lxml/python-lxml.mk b/package/python-lxml/python-lxml.mk
index fe99f82472..0d3775a1bd 100644
--- a/package/python-lxml/python-lxml.mk
+++ b/package/python-lxml/python-lxml.mk
@@ -4,8 +4,8 @@
#
################################################################################
-PYTHON_LXML_VERSION = 4.6.2
-PYTHON_LXML_SITE = https://files.pythonhosted.org/packages/db/f7/43fecb94d66959c1e23aa53d6161231dca0e93ec500224cf31b3c4073e37
+PYTHON_LXML_VERSION = 4.6.3
+PYTHON_LXML_SITE = https://files.pythonhosted.org/packages/e5/21/a2e4517e3d216f0051687eea3d3317557bde68736f038a3b105ac3809247
PYTHON_LXML_SOURCE = lxml-$(PYTHON_LXML_VERSION).tar.gz
# Not including the GPL, because it is used only for the test scripts.