Hi Swarnalatha,
the previous releases were build with 2.9.3, due to 2.9.4 having a bug regarding schema validation. Unfortunately, 2.9.3 has it's own bugs, too.
You can see some previous discussion here: https://bugs.launchpad.net/lxml/+bug/1706375
That discussion was then moved to this mailing list – unfortunately all of its web-accessible archives seem to be broken :(. If you have a newsreader, you can have a look at nntp://news.gmane.org/gmane.comp.python.lxml.devel. The thread title is "Should (Linux) binary wheels include libxml2/libxslt".
If you need a quick fix, you can just compile lxml yourself with your own version of libxml2 – that's what we ended up doing.
On 29.08.17 8:43:15, "Swarnalatha Kannan" swarna298@gmail.com wrote:
Team,
We are using lxml (lxml-3.3.4.win-amd64-py2.7) in my project which gets shipped with libxml2 2.9.0. We would like to upgrade libxml2 to 2.9.4 to mitigate security vulnerabilities (CVE-2016-4448
). For this upgrade we have to update lxml which has 2.9.4 libxml2. But latest lxml for 2.7 python 64 bit windows is having 2.9.3. Let me know how to solve the issue? Thanks.
Python version used: python-2.7.12.amd64.msi
Christian Fersch schrieb am 29.08.2017 um 10:46:
the previous releases were build with 2.9.3, due to 2.9.4 having a bug regarding schema validation. Unfortunately, 2.9.3 has it's own bugs, too.
You can see some previous discussion here: https://bugs.launchpad.net/lxml/+bug/1706375
That discussion was then moved to this mailing list – unfortunately all of its web-accessible archives seem to be broken :(. If you have a newsreader, you can have a look at nntp://news.gmane.org/gmane.comp.python.lxml.devel. The thread title is "Should (Linux) binary wheels include libxml2/libxslt".
If you need a quick fix, you can just compile lxml yourself with your own version of libxml2 – that's what we ended up doing.
On 29.08.17 8:43:15, "Swarnalatha Kannan" wrote:
We are using lxml (lxml-3.3.4.win-amd64-py2.7) in my project which gets shipped with libxml2 2.9.0. We would like to upgrade libxml2 to 2.9.4 to mitigate security vulnerabilities (CVE-2016-4448
). For this upgrade we have to update lxml which has 2.9.4 libxml2. But latest lxml for 2.7 python 64 bit windows is having 2.9.3. Let me know how to solve the issue? Thanks.
Python version used: python-2.7.12.amd64.msi
A new libxml2 release is announced within weeks, and then the release cycle will hopefully be shorter in the future.
I'm currently waiting for the next libxml2 release, and then I'll upload lxml 4.0 with binaries that should include it.
Stefan
Hi Stefan/Christian,
Thanks for the quick response.
1. Let me know the tentative release timeline for lxml4.0. 2. Let me know the steps to compile lxml with required version of libxml2.
Regards, Swarna
On Wed, Aug 30, 2017 at 12:30 AM, Stefan Behnel stefan_ml@behnel.de wrote:
Christian Fersch schrieb am 29.08.2017 um 10:46:
the previous releases were build with 2.9.3, due to 2.9.4 having a bug regarding schema validation. Unfortunately, 2.9.3 has it's own bugs, too.
You can see some previous discussion here: https://bugs.launchpad.net/lxml/+bug/1706375
That discussion was then moved to this mailing list – unfortunately all
of
its web-accessible archives seem to be broken :(. If you have a
newsreader,
you can have a look at nntp://news.gmane.org/gmane.
comp.python.lxml.devel.
The thread title is "Should (Linux) binary wheels include
libxml2/libxslt".
If you need a quick fix, you can just compile lxml yourself with your own version of libxml2 – that's what we ended up doing.
On 29.08.17 8:43:15, "Swarnalatha Kannan" wrote:
We are using lxml (lxml-3.3.4.win-amd64-py2.7) in my project which gets shipped with libxml2 2.9.0. We would like to upgrade libxml2 to 2.9.4 to mitigate security vulnerabilities (CVE-2016-4448
). For this upgrade we have to update lxml which has 2.9.4 libxml2. But latest lxml for 2.7 python 64 bit windows is having 2.9.3. Let me know how to solve the issue? Thanks.
Python version used: python-2.7.12.amd64.msi
A new libxml2 release is announced within weeks, and then the release cycle will hopefully be shorter in the future.
I'm currently waiting for the next libxml2 release, and then I'll upload lxml 4.0 with binaries that should include it.
Stefan _________________________________________________________________ Mailing list for the lxml Python XML toolkit - http://lxml.de/ lxml@lxml.de https://mailman-mail5.webfaction.com/listinfo/lxml
Swarnalatha Kannan schrieb am 30.08.2017 um 04:16:
- Let me know the tentative release timeline for lxml4.0.
Soon, rather days or weeks than months.
- Let me know the steps to compile lxml with required version of libxml2.
I encourage you to test the latest pre-release versions and see if they work for you.
On most non-Windows systems, you can build lxml statically with these versions by setting these environment variables:
LIBXML2_VERSION=2.9.5-rc2 LIBXSLT_VERSION=1.1.30-rc2 STATIC_DEPS=true
Note that you might need the latest lxml master for that, as I had to apply some fixes to make it compile with the latest libxml2. If you don't have the lzma dev headers installed, it might also work with the current lxml release version.
Stefan
Team,
Thanks for the response.
I would like to know if security vulnerabilities on libxml2 holds good for lxml. We are using lxml-3.3.4.win-amd64-py2.7.exe in our project. After installation, I could only see .h files inside libxml fodler of lxml. (C:\Python27\Lib\site-packages\lxml\includes\libxml). I would like to know about the implementations of these header file functions. Because most of the vulnerabilities mentioned are part of .c files. Kindly get back.
Regards, Swarna
On Fri, Sep 1, 2017 at 1:02 AM, Stefan Behnel stefan_ml@behnel.de wrote:
Swarnalatha Kannan schrieb am 30.08.2017 um 04:16:
- Let me know the tentative release timeline for lxml4.0.
Soon, rather days or weeks than months.
- Let me know the steps to compile lxml with required version of
libxml2.
I encourage you to test the latest pre-release versions and see if they work for you.
On most non-Windows systems, you can build lxml statically with these versions by setting these environment variables:
LIBXML2_VERSION=2.9.5-rc2 LIBXSLT_VERSION=1.1.30-rc2 STATIC_DEPS=trueNote that you might need the latest lxml master for that, as I had to apply some fixes to make it compile with the latest libxml2. If you don't have the lzma dev headers installed, it might also work with the current lxml release version.
Stefan _________________________________________________________________ Mailing list for the lxml Python XML toolkit - http://lxml.de/ lxml@lxml.de https://mailman-mail5.webfaction.com/listinfo/lxml
Hi,
Swarnalatha Kannan schrieb am 05.09.2017 um 17:55:
I would like to know if security vulnerabilities on libxml2 holds good for lxml. We are using lxml-3.3.4.win-amd64-py2.7.exe in our project. After installation, I could only see .h files inside libxml fodler of lxml. (C:\Python27\Lib\site-packages\lxml\includes\libxml). I would like to know about the implementations of these header file functions. Because most of the vulnerabilities mentioned are part of .c files. Kindly get back.
The header files are only there for external code that wants to compile against lxml. What you are interested in is the libxml2 version that the Windows binaries include. You can look that up in lxml itself:
print("%-20s: %s" % ('lxml.etree', etree.LXML_VERSION)) print("%-20s: %s" % ('libxml used', etree.LIBXML_VERSION)) print("%-20s: %s" % ('libxml compiled', etree.LIBXML_COMPILED_VERSION)) print("%-20s: %s" % ('libxslt used', etree.LIBXSLT_VERSION)) print("%-20s: %s" % ('libxslt compiled', etree.LIBXSLT_COMPILED_VERSION))
lxml 3.3.4 is hugely old and probably comes with some 2.7.x version of libxml2, maybe 2.7.8. These old versions have bugs that most likely include security relevant ones.
I recomment switching to Python 3.5 or 3.6. The corresponding lxml wheels for Windows come with more recent library versions.
Stefan
Team,
Kindly suggest a better solution/approach for our problem.
1. We would like to get lxml which is bundled with libxml2 version 2.9.4 for python 2.7 windows installer (win-amd64-py2.7.exe) since latest lxml(3.8.0) compatible with python2.7 has libxml2 (2.9.3) version, we tried to build our own lxml exe with required libxml2 version. We are facing issues with that. 2. Our current code is written in Python 2.7. Is it easy to migrate to Python 3.5 or later without much code change? Also we would like to know if python 3 is availble for win-amd64?
Kindly let us know the easy and feasible solution for our scenario. This upgrade is required to mitigate security vulnerabilities found in libxml2.
Regards, Swarna
On Tue, Sep 5, 2017 at 11:59 PM, Stefan Behnel stefan_ml@behnel.de wrote:
Hi,
Swarnalatha Kannan schrieb am 05.09.2017 um 17:55:
I would like to know if security vulnerabilities on libxml2 holds good
for
lxml. We are using lxml-3.3.4.win-amd64-py2.7.exe in our project. After installation, I could only see .h files inside libxml fodler of lxml. (C:\Python27\Lib\site-packages\lxml\includes\libxml). I would like to
know
about the implementations of these header file functions. Because most of the vulnerabilities mentioned are part of .c files. Kindly get back.
The header files are only there for external code that wants to compile against lxml. What you are interested in is the libxml2 version that the Windows binaries include. You can look that up in lxml itself:
print("%-20s: %s" % ('lxml.etree', etree.LXML_VERSION)) print("%-20s: %s" % ('libxml used', etree.LIBXML_VERSION)) print("%-20s: %s" % ('libxml compiled', etree.LIBXML_COMPILED_VERSION)) print("%-20s: %s" % ('libxslt used', etree.LIBXSLT_VERSION)) print("%-20s: %s" % ('libxslt compiled', etree.LIBXSLT_COMPILED_VERSION))
lxml 3.3.4 is hugely old and probably comes with some 2.7.x version of libxml2, maybe 2.7.8. These old versions have bugs that most likely include security relevant ones.
I recomment switching to Python 3.5 or 3.6. The corresponding lxml wheels for Windows come with more recent library versions.
Stefan _________________________________________________________________ Mailing list for the lxml Python XML toolkit - http://lxml.de/ lxml@lxml.de https://mailman-mail5.webfaction.com/listinfo/lxml
Am .09.2017, 18:07 Uhr, schrieb Swarnalatha Kannan swarna298@gmail.com:
Team, Kindly suggest a better solution/approach for our problem.
Swarna,
you are mistaken if you think there is some kind of team behind this mailing list. lxml is an open source project and this mailing list is for the discussion of its users.
However, if you are looking for *professional* support for lxml in your company's environment then I'm sure there are people capable of providing it.
Charlie
Swarnalatha Kannan schrieb am 12.09.2017 um 18:07:
We would like to get lxml which is bundled with libxml2 version 2.9.4 for python 2.7 windows installer (win-amd64-py2.7.exe)
The Windows binary wheels for lxml 4.0 should be using libxml2 2.9.5 when they become avaiable. Hopefully soon.
Stefan
participants (4)
-
Charlie Clark -
Christian Fersch -
Stefan Behnel -
Swarnalatha Kannan