CVS commit: pkgsrc/textproc/py-lxml

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Sun Apr 19 17:17:42 UTC 2026

Modified Files:
        pkgsrc/textproc/py-lxml: Makefile distinfo

Log Message:
py-lxml: update to 6.1.0.

6.1.0 (2026-04-17)
==================

This release fixes a possible external entity injection (XXE) vulnerability in
``iterparse()`` and the ``ETCompatXMLParser``.

Features added
--------------

* GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes
  in ``lxml.html.defs``.  This allows ``lxml_html_clean`` to pass them through.
  Patch by oomsveta.

* The default chunk size for reading from file-likes in ``iterparse()`` is now configurable
  with a new ``chunk_size`` argument.

Bugs fixed
----------

* LP#2146291: The ``resolve_entities`` option was still set to ``True`` for
  ``iterparse`` and ``ETCompatXMLParser``, allowing for external entity injection (XXE)
  when using these parsers without setting this option explicitly.
  The default was now changed to ``'internal'`` only (as for the normal XML and HTML parsers
  since lxml 5.0).
  Issue found by Sihao Qiu as CVE-2026-41066.


To generate a diff of this commit:
cvs rdiff -u -r1.128 -r1.129 pkgsrc/textproc/py-lxml/Makefile
cvs rdiff -u -r1.84 -r1.85 pkgsrc/textproc/py-lxml/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/textproc/py-lxml/Makefile
diff -u pkgsrc/textproc/py-lxml/Makefile:1.128 pkgsrc/textproc/py-lxml/Makefile:1.129
--- pkgsrc/textproc/py-lxml/Makefile:1.128      Tue Apr 14 13:18:38 2026
+++ pkgsrc/textproc/py-lxml/Makefile    Sun Apr 19 17:17:41 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.128 2026/04/14 13:18:38 adam Exp $
+# $NetBSD: Makefile,v 1.129 2026/04/19 17:17:41 wiz Exp $
 
-DISTNAME=      lxml-6.0.4
+DISTNAME=      lxml-6.1.0
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    textproc python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=l/lxml/}

Index: pkgsrc/textproc/py-lxml/distinfo
diff -u pkgsrc/textproc/py-lxml/distinfo:1.84 pkgsrc/textproc/py-lxml/distinfo:1.85
--- pkgsrc/textproc/py-lxml/distinfo:1.84       Tue Apr 14 13:18:38 2026
+++ pkgsrc/textproc/py-lxml/distinfo    Sun Apr 19 17:17:41 2026
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.84 2026/04/14 13:18:38 adam Exp $
+$NetBSD: distinfo,v 1.85 2026/04/19 17:17:41 wiz Exp $
 
-BLAKE2s (lxml-6.0.4.tar.gz) = 9a6a09945a9a0a72806c8e363de69b9be08bd765b4febd028d525526f3eb8df7
-SHA512 (lxml-6.0.4.tar.gz) = 6cdc4db84a6a5c00332ccf094d4526d9e3e5a0881f7dd4c8a0e36042ffd4f5cfa8320225a7a8167cd384d720fc472db9b9dbd297d6271e6165296ef244673a9d
-Size (lxml-6.0.4.tar.gz) = 4237780 bytes
+BLAKE2s (lxml-6.1.0.tar.gz) = e0657a5563550cd53f109fafdf1f6810613bab22d42e3c30cb0dd09a02bd6325
+SHA512 (lxml-6.1.0.tar.gz) = 1226453e909ba1d455a3f0e6ebb33cc5b7309ea678b423768ebc0a7ea9e6e4993d17acbed6945cc0c90f1f52f70e4968934812f7c5b6ceaf6d63bf32ca53bd33
+Size (lxml-6.1.0.tar.gz) = 4197006 bytes
 SHA1 (patch-setupinfo.py) = 43ac54758b37c79329a4dabae1c3240661193885