Skip to content

[AutoPR- Security] Patch python-lxml for CVE-2026-41066 [HIGH] #16932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
azurelinux-security wants to merge 3 commits into
base: fasttrack/3.0
Choose a base branch
from
Open

[AutoPR- Security] Patch python-lxml for CVE-2026-41066 [HIGH] #16932

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c7c8c37
Patch python-lxml for CVE-2026-41066
azurelinux-security Apr 29, 2026
566517d
Update python-lxml.spec
Kanishk-Bansal Apr 29, 2026
52dad22
fix patch to apply with patch -p1
Apr 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
102 changes: 102 additions & 0 deletions SPECS/python-lxml/CVE-2026-41066.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
From 034dfbac902baa560423f1268dedf74e6730573a Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Wed, 29 Apr 2026 09:37:00 +0000
Subject: [PATCH] LP#2146291: Set resolve_entities='internal' as default for
parser subclasses; update iterparse signature and docs accordingly.

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://github.com/lxml/lxml/commit/ab431ea0b9a7357d968f1d1c5c614649e9aaf358.patch
---
src/lxml/iterparse.pxi | 11 +++++++----
src/lxml/parser.pxi | 10 +++++-----
2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi
index a7299da..52d0ea7 100644
--- a/src/lxml/iterparse.pxi
+++ b/src/lxml/iterparse.pxi
@@ -6,7 +6,8 @@ cdef class iterparse:
u"""iterparse(self, source, events=("end",), tag=None, \
attribute_defaults=False, dtd_validation=False, \
load_dtd=False, no_network=True, remove_blank_text=False, \
- remove_comments=False, remove_pis=False, encoding=None, \
+ compact=True, resolve_entities='internal', remove_comments=False, \
+ remove_pis=False, strip_cdata=True, encoding=None, \
html=False, recover=None, huge_tree=False, schema=None)

Incremental parser.
@@ -42,9 +43,11 @@ cdef class iterparse:
- remove_blank_text: discard blank text nodes
- remove_comments: discard comments
- remove_pis: discard processing instructions
- - strip_cdata: replace CDATA sections by normal text content (default: True)
+ - strip_cdata: replace CDATA sections by normal text content (default:
+ True for XML, ignored otherwise)
- compact: safe memory for short text content (default: True)
- - resolve_entities: replace entities by their text value (default: True)
+ - resolve_entities: replace entities by their text value
+ (default: 'internal' only)
- huge_tree: disable security restrictions and support very deep trees
and very long text content (only affects libxml2 2.7+)
- html: parse input as HTML (default: XML)
@@ -67,7 +70,7 @@ cdef class iterparse:
def __init__(self, source, events=(u"end",), *, tag=None,
attribute_defaults=False, dtd_validation=False,
load_dtd=False, no_network=True, remove_blank_text=False,
- compact=True, resolve_entities=True, remove_comments=False,
+ compact=True, resolve_entities='internal', remove_comments=False,
remove_pis=False, strip_cdata=True, encoding=None,
html=False, recover=None, huge_tree=False, collect_ids=True,
XMLSchema schema=None):
diff --git a/src/lxml/parser.pxi b/src/lxml/parser.pxi
index 068cdd3..c00c524 100644
--- a/src/lxml/parser.pxi
+++ b/src/lxml/parser.pxi
@@ -1478,7 +1478,7 @@ _XML_DEFAULT_PARSE_OPTIONS = (
)

cdef class XMLParser(_FeedParser):
- u"""XMLParser(self, encoding=None, attribute_defaults=False, dtd_validation=False, load_dtd=False, no_network=True, ns_clean=False, recover=False, schema: XMLSchema =None, huge_tree=False, remove_blank_text=False, resolve_entities=True, remove_comments=False, remove_pis=False, strip_cdata=True, collect_ids=True, target=None, compact=True)
+ u"""XMLParser(self, encoding=None, attribute_defaults=False, dtd_validation=False, load_dtd=False, no_network=True, ns_clean=False, recover=False, schema: XMLSchema =None, huge_tree=False, remove_blank_text=False, resolve_entities='internal', remove_comments=False, remove_pis=False, strip_cdata=True, collect_ids=True, target=None, compact=True)

The XML parser.

@@ -1508,7 +1508,7 @@ cdef class XMLParser(_FeedParser):
- strip_cdata - replace CDATA sections by normal text content (default: True)
- compact - save memory for short text content (default: True)
- collect_ids - use a hash table of XML IDs for fast access (default: True, always True with DTD validation)
- - resolve_entities - replace entities by their text value (default: True)
+ - resolve_entities - replace entities by their text value (default: 'internal')
- huge_tree - disable security restrictions and support very deep trees
and very long text content (only affects libxml2 2.7+)

@@ -1525,7 +1525,7 @@ cdef class XMLParser(_FeedParser):
def __init__(self, *, encoding=None, attribute_defaults=False,
dtd_validation=False, load_dtd=False, no_network=True,
ns_clean=False, recover=False, XMLSchema schema=None,
- huge_tree=False, remove_blank_text=False, resolve_entities=True,
+ huge_tree=False, remove_blank_text=False, resolve_entities='internal',
remove_comments=False, remove_pis=False, strip_cdata=True,
collect_ids=True, target=None, compact=True):
cdef int parse_options
@@ -1594,7 +1594,7 @@ cdef class ETCompatXMLParser(XMLParser):
u"""ETCompatXMLParser(self, encoding=None, attribute_defaults=False, \
dtd_validation=False, load_dtd=False, no_network=True, \
ns_clean=False, recover=False, schema=None, \
- huge_tree=False, remove_blank_text=False, resolve_entities=True, \
+ huge_tree=False, remove_blank_text=False, resolve_entities='internal', \
remove_comments=True, remove_pis=True, strip_cdata=True, \
target=None, compact=True)

@@ -1608,7 +1608,7 @@ cdef class ETCompatXMLParser(XMLParser):
def __init__(self, *, encoding=None, attribute_defaults=False,
dtd_validation=False, load_dtd=False, no_network=True,
ns_clean=False, recover=False, schema=None,
- huge_tree=False, remove_blank_text=False, resolve_entities=True,
+ huge_tree=False, remove_blank_text=False, resolve_entities='internal',
remove_comments=True, remove_pis=True, strip_cdata=True,
target=None, compact=True):
XMLParser.__init__(self,
--
2.45.4

Loading
Loading