Team,
Kindly suggest a better solution/approach for our problem.
1. We would like to get lxml which is bundled with libxml2 version 2.9.4
for python 2.7 windows installer (win-amd64-py2.7.exe)
since latest lxml(3.8.0) compatible with python2.7 has libxml2 (2.9.3)
version, we tried to build our own lxml exe with required libxml2 version.
We are facing issues with that.
2. Our current code is written in Python 2.7. Is it easy to migrate to
Python 3.5 or later without much code change? Also we would like to know if
python 3 is availble for win-amd64?
Kindly let us know the easy and feasible solution for our scenario. This
upgrade is required to mitigate security vulnerabilities found in libxml2.
Regards,
Swarna
On Tue, Sep 5, 2017 at 11:59 PM, Stefan Behnel
Hi,
Swarnalatha Kannan schrieb am 05.09.2017 um 17:55:
I would like to know if security vulnerabilities on libxml2 holds good for lxml. We are using lxml-3.3.4.win-amd64-py2.7.exe in our project. After installation, I could only see .h files inside libxml fodler of lxml. (C:\Python27\Lib\site-packages\lxml\includes\libxml). I would like to know about the implementations of these header file functions. Because most of the vulnerabilities mentioned are part of .c files. Kindly get back.
The header files are only there for external code that wants to compile against lxml. What you are interested in is the libxml2 version that the Windows binaries include. You can look that up in lxml itself:
print("%-20s: %s" % ('lxml.etree', etree.LXML_VERSION)) print("%-20s: %s" % ('libxml used', etree.LIBXML_VERSION)) print("%-20s: %s" % ('libxml compiled', etree.LIBXML_COMPILED_VERSION)) print("%-20s: %s" % ('libxslt used', etree.LIBXSLT_VERSION)) print("%-20s: %s" % ('libxslt compiled', etree.LIBXSLT_COMPILED_VERSION))
lxml 3.3.4 is hugely old and probably comes with some 2.7.x version of libxml2, maybe 2.7.8. These old versions have bugs that most likely include security relevant ones.
I recomment switching to Python 3.5 or 3.6. The corresponding lxml wheels for Windows come with more recent library versions.
Stefan _________________________________________________________________ Mailing list for the lxml Python XML toolkit - http://lxml.de/ lxml@lxml.de https://mailman-mail5.webfaction.com/listinfo/lxml