Skip to content

5.0.2+security.1 — CVE-2026-41066 security backport#2

Open
martinPavesio wants to merge 3 commits into
python-2.7-maintfrom
security/cve-2026-41066
Open

5.0.2+security.1 — CVE-2026-41066 security backport#2
martinPavesio wants to merge 3 commits into
python-2.7-maintfrom
security/cve-2026-41066

Conversation

@martinPavesio
Copy link
Copy Markdown

@martinPavesio martinPavesio commented May 28, 2026

Backport of CVE-2026-41066 (GHSA-vfmq-68hx-4jfw) for Python 2.7.

Commits

  1. Patching — AS Platform build fixes (setupinfo.py, versioninfo.py, Windows zlib)
  2. BackportingCVE-2026-41066: resolve_entities='internal' in iterparse.pxi and parser.pxi; const_xmlChar** cast in proxy.pxi
  3. Release — Version 5.0.2+security.1, CHANGES.txt

Tag

5.0.2.1 (version string: 5.0.2+security.1)

Ticket: CS-2178

@martinPavesio
Apply AS Platform build patches for Python 2.7 / ActiveState compatib…
cfd1847 
…ility

- setupinfo.py: route to AS-installed libxml2/libxslt via pkg-config
- setupinfo.py: replace f-string in get_dotfile_version() with str.format()
  so setup.py can be invoked under Python 2.7
- setupinfo.py: use 'z' instead of 'zlib' in Windows libs.extend() for
  correct static zlib library name
- versioninfo.py: use __file__ instead of sys.argv[0] for base directory
  detection so it works correctly when invoked via the AS wheel builder
@martinPavesio
Backport CVE-2026-41066: set resolve_entities='internal' in lxml Cyth…
1bb4e28 
…on sources

CVE-2026-41066 (GHSA-vfmq-68hx-4jfw): iterparse() and ETCompatXMLParser()
defaulted to resolve_entities=True, allowing XXE injection from untrusted XML.
Upstream fix: lxml 6.1.0, commit ab431ea (LP#2146291).

- iterparse.pxi: resolve_entities default True -> 'internal'
- parser.pxi: ETCompatXMLParser resolve_entities default True -> 'internal'
- proxy.pxi: cast &c_attribute.defaultValue to <const_xmlChar**> at the
  _fixThreadDictPtr call site to fix -Werror=incompatible-pointer-types on
  GCC 14 / libxml2 2.15.x (Rocky 9 builder)

Cython 3 will regenerate etree.c from these sources at build time.
@martinPavesio
Release 5.0.2+security.1
4009508 
Version string: 5.0.2+security.1 (PEP 440 local identifier)
Git tag: 5.0.2.1

CHANGES.txt updated with security release notes.
icanhasmath
icanhasmath approved these changes May 28, 2026
View reviewed changes
Copy link
Copy Markdown

@icanhasmath icanhasmath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@icanhasmath icanhasmath icanhasmath approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@martinPavesio @icanhasmath