You are here
Home > Preporuke > Sigurnosni nedostatak python biblioteke lxml

Sigurnosni nedostatak python biblioteke lxml

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2014-5801
2014-04-30 03:00:48
——————————————————————————–

Name : python-lxml
Product : Fedora 19
Version : 3.3.5
Release : 1.fc19
URL : http://lxml.de
Summary : ElementTree-like Python bindings for libxml2 and libxslt
Description :
lxml provides a Python binding to the libxslt and libxml2 libraries.
It follows the ElementTree API as much as possible in order to provide
a more Pythonic interface to libxml2 and libxslt than the default
bindings. In particular, lxml deals with Python Unicode strings
rather than encoded UTF-8 and handles memory management automatically,
unlike the default bindings.

——————————————————————————–
Update Information:

3.3.5 (2014-04-18)
==================

Bugs fixed
———-

* HTML cleaning could fail to strip javascript links that mix control
characters into the link scheme.

3.3.4 (2014-04-03)
==================

Features added
————–

* Source line numbers above 65535 are available on Elements when
using libxml2 2.9 or later.

Bugs fixed
———-

* lxml.html.fragment_fromstring() failed for bytes input in Py3.

——————————————————————————–
ChangeLog:

* Mon Apr 28 2014 Jeffrey Ollie <jeff@ocjtech.us> – 3.3.5-1
– 3.3.5 (2014-04-18)
– ==================

– Bugs fixed
– ———-

– * HTML cleaning could fail to strip javascript links that mix control
– characters into the link scheme.
* Mon Apr 28 2014 Jeffrey Ollie <jeff@ocjtech.us> – 3.3.4-1
– 3.3.4 (2014-04-03)
– ==================

– Features added
– ————–

– * Source line numbers above 65535 are available on Elements when
– using libxml2 2.9 or later.

– Bugs fixed
– ———-

– * lxml.html.fragment_fromstring() failed for bytes input in Py3.
* Wed Mar 26 2014 Jeffrey Ollie <jeff@ocjtech.us> – 3.3.3-4
– Fix macro definition
* Wed Mar 26 2014 Jeffrey Ollie <jeff@ocjtech.us> – 3.3.3-3
– Add python3-cssselect to correct package
* Mon Mar 24 2014 Jeffrey Ollie <jeff@ocjtech.us> – 3.3.3-3
– python3-cssselect is not available on F19
* Mon Mar 24 2014 Jeffrey Ollie <jeff@ocjtech.us> – 3.3.3-2
– BZ#1075070 add requires and buildrequires for cssselect
* Tue Mar 11 2014 Jeffrey Ollie <jeff@ocjtech.us> – 3.3.3-1
– 3.3.3 (2014-03-04)
– ==================

– Bugs fixed
– ———-

– * LP#1287118: Crash when using Element subtypes with “__slots__“.

– Other changes
– ————-

– * The internal classes “_LogEntry“ and “_Attrib“ can no longer be
– subclassed from Python code.
* Tue Mar 11 2014 Alexander Todorov <atodorov@redhat.com> – 3.3.2-2
– Add check section #1075070
* Fri Feb 28 2014 Jeffrey Ollie <jeff@ocjtech.us> – 3.3.2-1
– 3.3.2 (2014-02-26)
– ==================

– Bugs fixed
– ———-

– * The properties “resolvers“ and “version“, as well as the methods
– “set_element_class_lookup()“ and “makeelement()“, were lost from
– “iterparse“ objects.

– * LP#1222132: instances of “XMLSchema“, “Schematron“ and “RelaxNG“
– did not clear their local “error_log“ before running a validation.

– * LP#1238500: lxml.doctestcompare mixed up “expected” and “actual” in
– attribute values.

– * Some file I/O tests were failing in MS-Windows due to incorrect temp
– file usage. Initial patch by Gabi Davar.

– * LP#910014: duplicate IDs in a document were not reported by DTD
– validation.

– * LP#1185332: “tostring(method=”html”)“ did not use HTML serialisation
– semantics for trailing tail text. Initial patch by Sylvain Viollon.

– * LP#1281139: “.attrib“ value of Comments lost its mutation methods
– in 3.3.0. Even though it is empty and immutable, it should still
– provide the same interface as that returned for Elements.
* Fri Feb 28 2014 Jeffrey Ollie <jeff@ocjtech.us> – 3.3.2-1
– 3.3.1 (2014-02-12)
– ==================

– Bugs fixed
– ———-

– * LP#1014290: HTML documents parsed with “parser.feed()“ failed to find
– elements during tag iteration.

– * LP#1273709: Building in PyPy failed due to missing support for
– “PyUnicode_Compare()“ and “PyByteArray_*()“ in PyPy’s C-API.

– * LP#1274413: Compilation in MSVC failed due to missing “stdint.h” standard
– header file.

– * LP#1274118: iterparse() failed to parse BOM prefixed files.
* Mon Jan 27 2014 Jeffrey Ollie <jeff@ocjtech.us> – 3.3.0-2
– Update Cython requirement to >= 0.20
* Mon Jan 27 2014 Jeffrey Ollie <jeff@ocjtech.us> – 3.3.0-1
– 3.3.0 (2014-01-26)
– ==================

– Features added
– ————–

– Bugs fixed
– ———-

– * The heuristic that distinguishes file paths from URLs was tightened
– to produce less false negatives.

– Other changes
– ————-


– 3.3.0beta5 (2014-01-18)
– =======================

– Features added
– ————–

– * The PEP 393 unicode parsing support gained a fallback for wchar strings
– which might still be somewhat common on Windows systems.

– Bugs fixed
– ———-

– * Several error handling problems were fixed throughout the code base that
– could previously lead to exceptions being silently swallowed or not
– properly reported.

– * The C-API function “appendChild()“ is now deprecated as it does not
– propagate exceptions (its return type is “void“). The new function
– “appendChildToElement()“ was added as a safe replacement.

– * Passing a string into “fromstringlist()“ raises an exception instead of
– parsing the string character by character.

– Other changes
– ————-

– * Document cleanup code was simplified using the new GC features in
– Cython 0.20.


– 3.3.0beta4 (2014-01-12)
– =======================

– Features added
– ————–

– Bugs fixed
– ———-

– * The (empty) value returned by the “attrib“ property of Entity and
– Comment objects was mutable.

– * Element class lookup wasn’t available for the new pull parsers or when
– using a custom parser target.

– * Setting Element attributes on instantiation with both the “attrib“
– argument and keyword arguments could modify the mapping passed as
– “attrib“.

– * LP#1266171: DTDs instantiated from internal/external subsets (i.e.
– through the docinfo property) lost their attribute declarations.

– Other changes
– ————-

– * Built with Cython 0.20pre (gitrev 012ae82eb) to prepare support for
– Python 3.4.


– 3.3.0beta3 (2014-01-02)
– =======================

– Features added
– ————–

– * Unicode string parsing was optimised for Python 3.3 (PEP 393).

– Bugs fixed
– ———-

– * HTML parsing of Unicode strings could misdecode the input on some
– platforms.

– * Crash in xmlfile() when closing open elements out of order in an error
– case.

– Other changes
– ————-


– 3.3.0beta2 (2013-12-20)
– =======================

– Features added
– ————–

– * “iterparse()“ supports the “recover“ option.

– Bugs fixed
– ———-

– * Crash in “iterparse()“ for HTML parsing.

– * Crash in target parsing with attributes.

– Other changes
– ————-

– * The safety check in the read-only tree implementation (e.g. used by
– “PythonElementClassLookup“) raises a more appropriate
– “ReferenceError“ for illegal access after tree disposal instead of
– an “AssertionError“. This should only impact test code that
– specifically checks the original behaviour.


– 3.3.0beta1 (2013-12-12)
– =======================

– Features added
– ————–

– * New option “handle_failures“ in “make_links_absolute()“ and
– “resolve_base_href()“ (lxml.html) that enables ignoring or
– discarding links that fail to parse as URLs.

– * New parser classes “XMLPullParser“ and “HTMLPullParser“ for
– incremental parsing, as implemented for ElementTree in Python 3.4.

– * “iterparse()“ enables recovery mode by default for HTML parsing
– (“html=True“).

– Bugs fixed
– ———-

– * LP#1255132: crash when trying to run validation over non-Element (e.g.
– comment or PI).

– * Error messages in the log and in exception messages that originated
– from libxml2 could accidentally be picked up from preceding warnings
– instead of the actual error.

– * The “ElementMaker“ in lxml.objectify did not accept a dict as
– argument for adding attributes to the element it’s building. This
– works as in lxml.builder now.

– * LP#1228881: “repr(XSLTAccessControl)“ failed in Python 3.

– * Raise “ValueError“ when trying to append an Element to itself or
– to one of its own descendants, instead of running into an infinite
– loop.

– * LP#1206077: htmldiff discarded whitespace from the output.

– * Compressed plain-text serialisation to file-like objects was broken.

– * lxml.html.formfill: Fix textarea form filling.
– The textarea used to be cleared before the new content was set,
– which removed the name attribute.

– Other changes
– ————-

– * Some basic API classes use freelists internally for faster
– instantiation. This can speed up some “iterparse()“ scenarios,
– for example.

– * “iterparse()“ was rewritten to use the new “*PullParser“
– classes internally instead of being a parser itself.
* Mon Nov 11 2013 Jeffrey Ollie <jeff@ocjtech.us> – 3.2.4-1
– 3.2.4 (2013-11-07)
– ==================

– Bugs fixed
– ———-

– * Memory leak when creating an XPath evaluator in a thread.

– * LP#1228881: “repr(XSLTAccessControl)“ failed in Python 3.

– * Raise “ValueError“ when trying to append an Element to itself or
– to one of its own descendants.

– * LP#1206077: htmldiff discarded whitespace from the output.

– * Compressed plain-text serialisation to file-like objects was broken.
* Wed Sep 18 2013 Jeffrey Ollie <jeff@ocjtech.us> – 3.2.3-2
– Add requirement for on python-cssselect for the python2 version
* Sun Jul 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 3.2.3-1
– and here’s a version 3.2.3. The last release accidentally lost the ability
– to work on Python 2.4. There are no other changes over 3.2.2.

– 3.2.2 (2013-07-28)
– ==================

– Features added
– ————–

– Bugs fixed
– ———-

– * LP#1185701: spurious XMLSyntaxError after finishing iterparse().

– * Crash in lxml.objectify during xsi annotation.

– Other changes
– ————-

– * Return values of user provided element class lookup methods are now
– validated against the type of the XML node they represent to prevent
– API class mismatches.
——————————————————————————–
References:

[ 1 ] Bug #1092613 – python-lxml: clean_html input sanitization flaw
https://bugzilla.redhat.com/show_bug.cgi?id=1092613
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update python-lxml’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

AutorMarko Stanec
Cert idNCERT-REF-2014-05-0016-ADV
CveCERT-CVE-DUMMY
ID izvornikaCERT-ORIGID-DUMMY
ProizvodCERT-DUMMY-PRODUCT
Izvorhttp://www.adobe.com/
Top
More in Preporuke
Sigurnosni nedostaci programskog paketa fish

Otkriveni su sigurnosni nedostaci u programskom paketu fish za operacijski sustav Fedora. Otkriveni nedostaci potencijalnim napadačima omogućuju izvršavanje proizvoljnog programskog...

Close