From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id UCLDH+ija2De6wAAgWs5BA (envelope-from ) for ; Tue, 06 Apr 2021 01:57:28 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id QC6gGeija2AcHQAA1q6Kng (envelope-from ) for ; Mon, 05 Apr 2021 23:57:28 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DEF5216BFA for ; Tue, 6 Apr 2021 01:57:27 +0200 (CEST) Received: from localhost ([::1]:56124 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lTZ5x-0002Mq-V2 for larch@yhetil.org; Mon, 05 Apr 2021 19:57:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35840) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTZ5a-0002MX-9W for bug-guix@gnu.org; Mon, 05 Apr 2021 19:57:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:55558) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lTZ5a-0005GW-2q for bug-guix@gnu.org; Mon, 05 Apr 2021 19:57:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lTZ5a-0003QC-18 for bug-guix@gnu.org; Mon, 05 Apr 2021 19:57:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47319: python-lxml is vulnerable to CVE-2021-28957 Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 05 Apr 2021 23:57:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47319 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Leo Famulari , 47319@debbugs.gnu.org Received: via spool by 47319-submit@debbugs.gnu.org id=B47319.161766700613123 (code B ref 47319); Mon, 05 Apr 2021 23:57:01 +0000 Received: (at 47319) by debbugs.gnu.org; 5 Apr 2021 23:56:46 +0000 Received: from localhost ([127.0.0.1]:38871 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTZ5J-0003Pb-ML for submit@debbugs.gnu.org; Mon, 05 Apr 2021 19:56:45 -0400 Received: from world.peace.net ([64.112.178.59]:44268) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTZ5I-0003PP-2M for 47319@debbugs.gnu.org; Mon, 05 Apr 2021 19:56:44 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lTZ5B-00013W-SD; Mon, 05 Apr 2021 19:56:37 -0400 From: Mark H Weaver In-Reply-To: References: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net> Date: Mon, 05 Apr 2021 19:54:54 -0400 Message-ID: <87wntg5lsm.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617667048; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=AdH8p+3LI6EGf+SEVJrRzDpv4U7j6Zz36uLlXSz+RLw=; b=byhz8mr9pPqbLRZolDsOwjJTMcTlu0jQriZ4QPeTqdzHNr7C6Hv8nhBlZP4Mm7GGYBXCSs ug3gzamGC0YA14m2mdpygcl3lz16MeVGJigoqkbcMbDWowwPc7CydHsZHLyPAupjuu/JLS HoGgCLHmei9pe0bKmR0gGi0yCWQ2uDLqUkn6ypyx71jTvfFjoP9t6/sWl5Io1MqvmzPqgq Ybv3eGX2Ra0fLyknRLoLh9kx30xxmZdH9XY4wHaRfkX7v1g+EHFmr4a9h6HjH1lOWtP0QZ iW4zvGCmgEWnwJ2lAJm8Vu+8GyVo8wh+s6ydKLb9gv8cckfGjd/OfGHRtCEG4g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617667048; a=rsa-sha256; cv=none; b=SJtorGOnnigoz3jeJiQF4BDjHLSDS4zsogKn6bYp5MY2wm12yHvRTetYzfME7qPsZVrvTu jvlWUEso8FQCXlNjwhy0Px4KkrsgNYkFwlsUnPykuEkwM6Pwztz6QXIj6yHWNd9UTrLOM7 eRxWFatcuXoSWNa5DLq2l73DOYQdClUVyVJqOdm9ll50LuDFf96XbM07EkaLOdPWYO5UWV /cVasquPuyQaAajNAFL6pCtrstdMrT7z8OtmjGKJnqGVhylmcwe8A4zHQFVmf7xNdhck6r 78HBtkHMP8Ksc4ZetQ0CTKgArprnJ3GCTVCvWK71e26e84AuzjaXQbjSLUTe3Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.44 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: DEF5216BFA X-Spam-Score: -2.44 X-Migadu-Scanner: scn0.migadu.com X-TUID: pwFTJd+LZ98O Leo Famulari writes: > On Mon, Mar 22, 2021 at 03:09:24PM +0100, L=C3=A9o Le Bouter via Bug repo= rts for GNU Guix wrote: >> Has lots of dependents so I suppose it needs grafting? Is that useful >> and does it work for Python packages? > > Grafting Python packages is not something we've done in the past, as far > as I can tell from reading the Git log, although I don't recall know if > it works or not. I see no reason why grafting a python package wouldn't work, although admittedly my knowledge of Python is weak. Mark