oneDAL
oneDAL copied to clipboard
oneapi-src
Update dependency lxml to v4.9.1 [SECURITY]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| lxml (source, changelog) | ==4.6.5 -> ==4.9.1 |
GitHub Vulnerability Alerts
CVE-2022-2309
NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
Release Notes
lxml/lxml
v4.9.1
==================
Bugs fixed
- A crash was resolved when using
iterwalk()(orcanonicalize()) after parsing certain incorrect input. Note thatiterwalk()can crash on valid input parsed with the same parser after failing to parse the incorrect input.
v4.9.0
==================
Bugs fixed
- GH#341: The mixin inheritance order in
lxml.htmlwas corrected. Patch by xmo-odoo.
Other changes
-
Built with Cython 0.29.30 to adapt to changes in Python 3.11 and 3.12.
-
Wheels include zlib 1.2.12, libxml2 2.9.14 and libxslt 1.1.35 (libxml2 2.9.12+ and libxslt 1.1.34 on Windows).
-
GH#343: Windows-AArch64 build support in Visual Studio. Patch by Steve Dower.
v4.8.0
==================
Features added
-
GH#337: Path-like objects are now supported throughout the API instead of just strings. Patch by Henning Janssen.
-
The
ElementMakernow supportsQNamevalues as tags, which always override the default namespace of the factory.
Bugs fixed
- GH#338: In lxml.objectify, the XSI float annotation "nan" and "inf" were spelled in lower case, whereas XML Schema datatypes define them as "NaN" and "INF" respectively. Patch by Tobias Deiminger.
Other changes
- Built with Cython 0.29.28.
v4.7.1
==================
Features added
- Chunked Unicode string parsing via
parser.feed()now encodes the input data to the native UTF-8 encoding directly, instead of going throughPy_UNICODE/wchar_tencoding first, which previously required duplicate recoding in most cases.
Bugs fixed
-
The standard namespace prefixes were mishandled during "C14N2" serialisation on Python 3. See https://mail.python.org/archives/list/[email protected]/thread/6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/
-
lxml.objectifypreviously accepted non-XML numbers with underscores (like "1_000") as integers or float values in Python 3.6 and later. It now adheres to the number format of the XML spec again. -
LP#1939031: Static wheels of lxml now contain the header files of zlib and libiconv (in addition to the already provided headers of libxml2/libxslt/libexslt).
Other changes
- Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows).
v4.7.0
==================
- Release retracted due to missing files in lxml/includes/.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}