Sicherheit: Ausführen beliebiger Kommandos in python-lxml - Pro-Linux

Name        : python-lxml
Product     : Fedora 19
Version     : 3.3.5
Release     : 1.fc19
URL         : http://lxml.de
Summary     : ElementTree-like Python bindings for libxml2 and libxslt
Description :
lxml provides a Python binding to the libxslt and libxml2 libraries.
It follows the ElementTree API as much as possible in order to provide
a more Pythonic interface to libxml2 and libxslt than the default
bindings.  In particular, lxml deals with Python Unicode strings
rather than encoded UTF-8 and handles memory management automatically,
unlike the default bindings.

-------------------------------------------------------------------------------
-
Update Information:

3.3.5 (2014-04-18)

==================

Bugs fixed

----------

* HTML cleaning could fail to strip javascript links that mix control

  characters into the link scheme.

3.3.4 (2014-04-03)

==================

Features added

--------------

* Source line numbers above 65535 are available on Elements when

  using libxml2 2.9 or later.

Bugs fixed

----------

* lxml.html.fragment_fromstring() failed for bytes input in Py3.

-------------------------------------------------------------------------------
-
ChangeLog:

* Mon Apr 28 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.5-1
- 3.3.5 (2014-04-18)
- ==================
-
- Bugs fixed
- ----------
-
- * HTML cleaning could fail to strip javascript links that mix control
-   characters into the link scheme.
* Mon Apr 28 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.4-1
- 3.3.4 (2014-04-03)
- ==================
-
- Features added
- --------------
-
- * Source line numbers above 65535 are available on Elements when
-   using libxml2 2.9 or later.
-
- Bugs fixed
- ----------
-
- * lxml.html.fragment_fromstring() failed for bytes input in Py3.
* Wed Mar 26 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-4
- Fix macro definition
* Wed Mar 26 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-3
- Add python3-cssselect to correct package
* Mon Mar 24 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-3
- python3-cssselect is not available on F19
* Mon Mar 24 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-2
- BZ#1075070  add requires and buildrequires for cssselect
* Tue Mar 11 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-1
- 3.3.3 (2014-03-04)
- ==================
-
- Bugs fixed
- ----------
-
- * LP#1287118: Crash when using Element subtypes with ``__slots__``.
-
- Other changes
- -------------
-
- * The internal classes ``_LogEntry`` and ``_Attrib`` can no longer be
-   subclassed from Python code.
* Tue Mar 11 2014 Alexander Todorov <atodorov@redhat.com> - 3.3.2-2
- Add check section #1075070
* Fri Feb 28 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.2-1
- 3.3.2 (2014-02-26)
- ==================
-
- Bugs fixed
- ----------
-
- * The properties ``resolvers`` and ``version``, as well as the methods
-   ``set_element_class_lookup()`` and ``makeelement()``, were lost from
-   ``iterparse`` objects.
-
- * LP#1222132: instances of ``XMLSchema``, ``Schematron`` and ``RelaxNG``
-   did not clear their local ``error_log`` before running a validation.
-
- * LP#1238500: lxml.doctestcompare mixed up "expected" and
 "actual" in
-   attribute values.
-
- * Some file I/O tests were failing in MS-Windows due to incorrect temp
-   file usage.  Initial patch by Gabi Davar.
-
- * LP#910014: duplicate IDs in a document were not reported by DTD
-   validation.
-
- * LP#1185332: ``tostring(method="html")`` did not use HTML
 serialisation
-   semantics for trailing tail text.  Initial patch by Sylvain Viollon.
-
- * LP#1281139: ``.attrib`` value of Comments lost its mutation methods
-   in 3.3.0.  Even though it is empty and immutable, it should still
-   provide the same interface as that returned for Elements.
* Fri Feb 28 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.2-1
- 3.3.1 (2014-02-12)
- ==================
-
- Bugs fixed
- ----------
-
- * LP#1014290: HTML documents parsed with ``parser.feed()`` failed to find
-   elements during tag iteration.
-
- * LP#1273709: Building in PyPy failed due to missing support for
-   ``PyUnicode_Compare()`` and ``PyByteArray_*()`` in PyPy's C-API.
-
- * LP#1274413: Compilation in MSVC failed due to missing "stdint.h"
 standard
-   header file.
-
- * LP#1274118: iterparse() failed to parse BOM prefixed files.
* Mon Jan 27 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.0-2
- Update Cython requirement to >= 0.20
* Mon Jan 27 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.0-1
- 3.3.0 (2014-01-26)
- ==================
-
- Features added
- --------------
-
- Bugs fixed
- ----------
-
- * The heuristic that distinguishes file paths from URLs was tightened
-   to produce less false negatives.
-
- Other changes
- -------------
-
-
- 3.3.0beta5 (2014-01-18)
- =======================
-
- Features added
- --------------
-
- * The PEP 393 unicode parsing support gained a fallback for wchar strings
-   which might still be somewhat common on Windows systems.
-
- Bugs fixed
- ----------
-
- * Several error handling problems were fixed throughout the code base that
-   could previously lead to exceptions being silently swallowed or not
-   properly reported.
-
- * The C-API function ``appendChild()`` is now deprecated as it does not
-   propagate exceptions (its return type is ``void``).  The new function
-   ``appendChildToElement()`` was added as a safe replacement.
-
- * Passing a string into ``fromstringlist()`` raises an exception instead of
-   parsing the string character by character.
-
- Other changes
- -------------
-
- * Document cleanup code was simplified using the new GC features in
-   Cython 0.20.
-
-
- 3.3.0beta4 (2014-01-12)
- =======================
-
- Features added
- --------------
-
- Bugs fixed
- ----------
-
- * The (empty) value returned by the ``attrib`` property of Entity and
-   Comment objects was mutable.
-
- * Element class lookup wasn't available for the new pull parsers or when
-   using a custom parser target.
-
- * Setting Element attributes on instantiation with both the ``attrib``
-   argument and keyword arguments could modify the mapping passed as
-   ``attrib``.
-
- * LP#1266171: DTDs instantiated from internal/external subsets (i.e.
-   through the docinfo property) lost their attribute declarations.
-
- Other changes
- -------------
-
- * Built with Cython 0.20pre (gitrev 012ae82eb) to prepare support for
-   Python 3.4.
-
-
- 3.3.0beta3 (2014-01-02)
- =======================
-
- Features added
- --------------
-
- * Unicode string parsing was optimised for Python 3.3 (PEP 393).
-
- Bugs fixed
- ----------
-
- * HTML parsing of Unicode strings could misdecode the input on some
-   platforms.
-
- * Crash in xmlfile() when closing open elements out of order in an error
-   case.
-
- Other changes
- -------------
-
-
- 3.3.0beta2 (2013-12-20)
- =======================
-
- Features added
- --------------
-
- * ``iterparse()`` supports the ``recover`` option.
-
- Bugs fixed
- ----------
-
- * Crash in ``iterparse()`` for HTML parsing.
-
- * Crash in target parsing with attributes.
-
- Other changes
- -------------
-
- * The safety check in the read-only tree implementation (e.g. used by
-   ``PythonElementClassLookup``) raises a more appropriate
-   ``ReferenceError`` for illegal access after tree disposal instead of
-   an ``AssertionError``. This should only impact test code that
-   specifically checks the original behaviour.
-
-
- 3.3.0beta1 (2013-12-12)
- =======================
-
- Features added
- --------------
-
- * New option ``handle_failures`` in ``make_links_absolute()`` and
-   ``resolve_base_href()`` (lxml.html) that enables ignoring or
-   discarding links that fail to parse as URLs.
-
- * New parser classes ``XMLPullParser`` and ``HTMLPullParser`` for
-   incremental parsing, as implemented for ElementTree in Python 3.4.
-
- * ``iterparse()`` enables recovery mode by default for HTML parsing
-   (``html=True``).
-
- Bugs fixed
- ----------
-
- * LP#1255132: crash when trying to run validation over non-Element (e.g.
-   comment or PI).
-
- * Error messages in the log and in exception messages that originated
-   from libxml2 could accidentally be picked up from preceding warnings
-   instead of the actual error.
-
- * The ``ElementMaker`` in lxml.objectify did not accept a dict as
-   argument for adding attributes to the element it's building. This
-   works as in lxml.builder now.
-
- * LP#1228881: ``repr(XSLTAccessControl)`` failed in Python 3.
-
- * Raise ``ValueError`` when trying to append an Element to itself or
-   to one of its own descendants, instead of running into an infinite
-   loop.
-
- * LP#1206077: htmldiff discarded whitespace from the output.
-
- * Compressed plain-text serialisation to file-like objects was broken.
-
- * lxml.html.formfill: Fix textarea form filling.
-   The textarea used to be cleared before the new content was set,
-   which removed the name attribute.
-
- Other changes
- -------------
-
- * Some basic API classes use freelists internally for faster
-   instantiation.  This can speed up some ``iterparse()`` scenarios,
-   for example.
-
- * ``iterparse()`` was rewritten to use the new ``*PullParser``
-   classes internally instead of being a parser itself.
* Mon Nov 11 2013 Jeffrey Ollie <jeff@ocjtech.us> - 3.2.4-1
- 3.2.4 (2013-11-07)
- ==================
-
- Bugs fixed
- ----------
-
- * Memory leak when creating an XPath evaluator in a thread.
-
- * LP#1228881: ``repr(XSLTAccessControl)`` failed in Python 3.
-
- * Raise ``ValueError`` when trying to append an Element to itself or
-   to one of its own descendants.
-
- * LP#1206077: htmldiff discarded whitespace from the output.
-
- * Compressed plain-text serialisation to file-like objects was broken.
* Wed Sep 18 2013 Jeffrey Ollie <jeff@ocjtech.us> - 3.2.3-2
- Add requirement for on python-cssselect for the python2 version
* Sun Jul 28 2013 Jeffrey Ollie <jeff@ocjtech.us> - 3.2.3-1
- and here's a version 3.2.3. The last release accidentally lost the
 ability
- to work on Python 2.4. There are no other changes over 3.2.2.
-
- 3.2.2 (2013-07-28)
- ==================
-
- Features added
- --------------
-
- Bugs fixed
- ----------
-
- * LP#1185701: spurious XMLSyntaxError after finishing iterparse().
-
- * Crash in lxml.objectify during xsi annotation.
-
- Other changes
- -------------
-
- * Return values of user provided element class lookup methods are now
-   validated against the type of the XML node they represent to prevent
-   API class mismatches.
-------------------------------------------------------------------------------
-
References:

  [ 1 ] Bug #1092613 - python-lxml: clean_html input sanitization flaw
        https://bugzilla.redhat.com/show_bug.cgi?id=1092613
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program.  Use
su -c 'yum update python-lxml' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce