Ubuntu
lxml package

python-lxml Precise package needs updating after libxml2 security patch

Bug #1201745 reported by Lars Butler on 2013-07-16

This bug report is a duplicate of: Bug #1201849: libxml2 security update regression. Edit Remove

20

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	lxml (Ubuntu)	Confirmed	Undecided	Ubuntu Security Team

Bug Description

$ lsb_release -rd
Description: Ubuntu 12.04.2 LTS
Release: 12.04
$ apt-cache policy python-lxml
python-lxml:
  Installed: 2.3.2-1
  Candidate: 2.3.2-1
  Version table:
*** 2.3.2-1 0
        500 http://it.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
        100 /var/lib/dpkg/status
$ apt-cache policy libxml2
libxml2:
  Installed: 2.7.8.dfsg-5.1ubuntu4.5
  Candidate: 2.7.8.dfsg-5.1ubuntu4.5
  Version table:
*** 2.7.8.dfsg-5.1ubuntu4.5 0
        500 http://it.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.7.8.dfsg-5.1ubuntu4 0
        500 http://it.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

---------

All of the details--including a script to reproduce the error--are in https://bugs.launchpad.net/lxml/+bug/1201735. I initially filed the bug here, but, as there is already a fix, this seems to be a packaging issue now.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-07-16:

#1

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lxml (Ubuntu):
status:	New → Confirmed

Revision history for this message

scoder (scoder) wrote on 2013-07-16:

#2

And while at it, I'd also recommend upgrading to 2.3.6. It contains several crash bug fixes. I guess 3.2.1 is out of scope for Ubuntu 12.04.

http://lxml.de/2.3/changes-2.3.6.html

Revision history for this message

Lars Butler (lars-butler) wrote on 2013-07-17:

#3

Probably the package needs to include this patch, to fix the crash noted in the bug report: https://github.com/lxml/lxml/commit/19f0a477c935b402c93395f8c0cb561646f4bdc3

@scoder, is that correct?

Revision history for this message

Matteo Nastasi (nastasi-oq) wrote on 2013-07-17:

#4

Just a comment about the bug: I had tryed to backport the 2.3.5 package version from Quantal, adding the patch https://github.com/lxml/lxml/commit/19f0a477c935b402c93395f8c0cb561646f4bdc3 seems to be not enough to solve the problem.

Revision history for this message

Matteo Nastasi (nastasi-oq) wrote on 2013-07-18:

#5

LP: #1201849 is fixed and solves this issue.

Matthias Klose (doko) on 2015-02-27

Changed in lxml (Ubuntu):
assignee:	nobody → Ubuntu Security Team (ubuntu-security)

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2015-07-01:

#6

This bug was fixed with USN-1904-2:

http://www.ubuntu.com/usn/USN-1904-2/

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1201849 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.