Hi, Swarnalatha Kannan schrieb am 05.09.2017 um 17:55:
I would like to know if security vulnerabilities on libxml2 holds good for lxml. We are using lxml-3.3.4.win-amd64-py2.7.exe in our project. After installation, I could only see .h files inside libxml fodler of lxml. (C:\Python27\Lib\site-packages\lxml\includes\libxml). I would like to know about the implementations of these header file functions. Because most of the vulnerabilities mentioned are part of .c files. Kindly get back.
The header files are only there for external code that wants to compile against lxml. What you are interested in is the libxml2 version that the Windows binaries include. You can look that up in lxml itself: print("%-20s: %s" % ('lxml.etree', etree.LXML_VERSION)) print("%-20s: %s" % ('libxml used', etree.LIBXML_VERSION)) print("%-20s: %s" % ('libxml compiled', etree.LIBXML_COMPILED_VERSION)) print("%-20s: %s" % ('libxslt used', etree.LIBXSLT_VERSION)) print("%-20s: %s" % ('libxslt compiled', etree.LIBXSLT_COMPILED_VERSION)) lxml 3.3.4 is hugely old and probably comes with some 2.7.x version of libxml2, maybe 2.7.8. These old versions have bugs that most likely include security relevant ones. I recomment switching to Python 3.5 or 3.6. The corresponding lxml wheels for Windows come with more recent library versions. Stefan