7 changed files with 185 additions and 362 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/lxml-4.4.1.tgz
+SOURCES/lxml-4.6.5.tar.gz
--- a/.python-lxml.metadata
+++ b/.python-lxml.metadata
@ -1 +1 @@
-96e0239b6524cb376f4f4d440e84da82691d278a SOURCES/lxml-4.4.1.tgz
+04a3ed4d33a511b5796880461b0edb6f3b144547 SOURCES/lxml-4.6.5.tar.gz
--- a/SOURCES/CVE-2020-27783.patch
+++ b/SOURCES/CVE-2020-27783.patch
@ -1,139 +0,0 @@
 From db649273fd6a2e3a624545b6fd14e8d8029198f8 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Thu, 3 Dec 2020 11:53:15 +0100
 Subject: [PATCH] CVE-2020-27783
 Combines fixes for the CVE from two versions:
 - Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
 - Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
 ---
 src/lxml/html/clean.py             | 25 +++++++++++++++++--------
 src/lxml/html/tests/test_clean.py  | 21 +++++++++++++++++++++
 src/lxml/html/tests/test_clean.txt | 12 ++++++++++--
 3 files changed, 48 insertions(+), 10 deletions(-)
 diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
 index aa9fc57..15298b5 100644
 --- a/src/lxml/html/clean.py
 +++ b/src/lxml/html/clean.py
@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
 # This is an IE-specific construct you can have in a stylesheet to
 # run some Javascript:
 -_css_javascript_re = re.compile(
 -    r'expression\s*\(.*?\)', re.S|re.I)
 +_replace_css_javascript = re.compile(
 +    r'expression\s*\(.*?\)', re.S|re.I).sub
 # Do I have to worry about @\nimport?
 -_css_import_re = re.compile(
 -    r'@\s*import', re.I)
 +_replace_css_import = re.compile(
 +    r'@\s*import', re.I).sub
 +
 +_looks_like_tag_content = re.compile(
 +    r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
 # All kinds of schemes besides just javascript: that can cause
 # execution:
@@ -292,8 +295,8 @@ class Cleaner(object):
             if not self.inline_style:
                 for el in _find_styled_elements(doc):
                     old = el.get('style')
 -                    new = _css_javascript_re.sub('', old)
 -                    new = _css_import_re.sub('', new)
 +                    new = _replace_css_javascript('', old)
 +                    new = _replace_css_import('', new)
                     if self._has_sneaky_javascript(new):
                         # Something tricky is going on...
                         del el.attrib['style']
@@ -305,9 +308,9 @@ class Cleaner(object):
                         el.drop_tree()
                         continue
                     old = el.text or ''
 -                    new = _css_javascript_re.sub('', old)
 +                    new = _replace_css_javascript('', old)
                     # The imported CSS can do anything; we just can't allow:
 -                    new = _css_import_re.sub('', old)
 +                    new = _replace_css_import('', new)
                     if self._has_sneaky_javascript(new):
                         # Something tricky is going on...
                         el.text = '/* deleted */'
@@ -509,6 +512,12 @@ class Cleaner(object):
             return True
         if 'expression(' in style:
             return True
 +        if '</noscript' in style:
 +            # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
 +            return True
 +        if _looks_like_tag_content(style):
 +            # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
 +            return True
         return False
     def clean_html(self, html):
 diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
 index a193d99..ea7487c 100644
 --- a/src/lxml/html/tests/test_clean.py
 +++ b/src/lxml/html/tests/test_clean.py
@@ -69,6 +69,27 @@ class CleanerTest(unittest.TestCase):
         self.assertEqual('child', clean_html(s).text_content())
 +    def test_sneaky_noscript_in_style(self):
 +        # This gets parsed as <noscript> -> <style>"...</noscript>..."</style>
 +        # thus passing the </noscript> through into the output.
 +        html = '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
 +        s = lxml.html.fragment_fromstring(html)
 +
 +        self.assertEqual(
 +            b'<noscript><style>/* deleted */</style></noscript>',
 +            lxml.html.tostring(clean_html(s)))
 +
 +    def test_sneaky_js_in_math_style(self):
 +        # This gets parsed as <math> -> <style>"..."</style>
 +        # thus passing any tag/script/whatever content through into the output.
 +        html = '<math><style><img src=x onerror=alert(1)></style></math>'
 +        s = lxml.html.fragment_fromstring(html)
 +
 +        self.assertEqual(
 +            b'<math><style>/* deleted */</style></math>',
 +            lxml.html.tostring(clean_html(s)))
 +
 +
 def test_suite():
     suite = unittest.TestSuite()
     suite.addTests([make_doctest('test_clean.txt')])
 diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt
 index 2824f64..7df1f1d 100644
 --- a/src/lxml/html/tests/test_clean.txt
 +++ b/src/lxml/html/tests/test_clean.txt
@@ -104,7 +104,11 @@
 >>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))
 <html>
   <head>
 -    <style>/* deleted */</style>
 +    <style>
 +      body {background-image: url()};
 +      div {background-image: url()};
 +      div {color: };
 +    </style>
   </head>
   <body>
     <a href="">a link</a>
@@ -168,7 +172,11 @@
     <link rel="alternate" type="text/rss" src="evil-rss">
     <link rel="alternate" type="text/rss" href="http://example.com">
     <link rel="stylesheet" type="text/rss" href="http://example.com">
 -    <style>/* deleted */</style>
 +    <style>
 +      body {background-image: url()};
 +      div {background-image: url()};
 +      div {color: };
 +    </style>
   </head>
   <body>
     <a href="">a link</a>
 -- 
 2.28.0
--- a/SOURCES/CVE-2021-28957.patch
+++ b/SOURCES/CVE-2021-28957.patch
@ -1,39 +0,0 @@
 diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
 index caf6b21..ea3c016 100644
 --- a/src/lxml/html/defs.py
 +++ b/src/lxml/html/defs.py
@@ -21,6 +21,8 @@ link_attrs = frozenset([
     'usemap',
     # Not standard:
     'dynsrc', 'lowsrc',
 +    # HTML5 formaction
 +    'formaction'
     ])
 # Not in the HTML 4 spec:
 diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
 index 451eec2..e40cdad 100644
 --- a/src/lxml/html/tests/test_clean.py
 +++ b/src/lxml/html/tests/test_clean.py
@@ -89,6 +89,21 @@ class CleanerTest(unittest.TestCase):
             b'<math><style>/* deleted */</style></math>',
             lxml.html.tostring(clean_html(s)))
 +    def test_formaction_attribute_in_button_input(self):
 +        # The formaction attribute overrides the form's action and should be
 +        # treated as a malicious link attribute
 +        html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
 +        '<button form="test" formaction="javascript:alert(1)">X</button>')
 +        expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
 +        '<button form="test" formaction="">X</button></div>')
 +        cleaner = Cleaner(
 +            forms=False,
 +            safe_attrs_only=False,
 +        )
 +        self.assertEqual(
 +            expected,
 +            cleaner.clean_html(html))
 +
 def test_suite():
     suite = unittest.TestSuite()
--- a/SOURCES/CVE-2021-43818.patch
+++ b/SOURCES/CVE-2021-43818.patch
@ -1,127 +0,0 @@
 diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
 index 15298b5..ee2f0f8 100644
 --- a/src/lxml/html/clean.py
 +++ b/src/lxml/html/clean.py
@@ -73,18 +73,25 @@ _looks_like_tag_content = re.compile(
 # All kinds of schemes besides just javascript: that can cause
 # execution:
 -_is_image_dataurl = re.compile(
 -    r'^data:image/.+;base64', re.I).search
 +_find_image_dataurls = re.compile(
 +    r'^data:image/(.+);base64,', re.I).findall
 _is_possibly_malicious_scheme = re.compile(
 -    r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
 -    re.I).search
 +    r'(javascript|jscript|livescript|vbscript|data|about|mocha):',
 +    re.I).findall
 +# SVG images can contain script content
 +_is_unsafe_image_type = re.compile(r"(xml|svg)", re.I).findall
 +
 def _is_javascript_scheme(s):
 -    if _is_image_dataurl(s):
 -        return None
 -    return _is_possibly_malicious_scheme(s)
 +    is_image_url = False
 +    for image_type in _find_image_dataurls(s):
 +        is_image_url = True
 +        if _is_unsafe_image_type(image_type):
 +            return True
 +    if is_image_url:
 +        return False
 +    return bool(_is_possibly_malicious_scheme(s))
 _substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
 -# FIXME: should data: be blocked?
 # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
 _conditional_comment_re = re.compile(
@@ -512,6 +519,8 @@ class Cleaner(object):
             return True
         if 'expression(' in style:
             return True
 +        if '@import' in style:
 +            return True
         if '</noscript' in style:
             # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
             return True
 diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
 index d8df527..7021e48 100644
 --- a/src/lxml/html/tests/test_clean.py
 +++ b/src/lxml/html/tests/test_clean.py
@@ -1,3 +1,5 @@
 +import base64
 +import gzip
 import unittest
 from lxml.tests.common_imports import make_doctest
@@ -89,6 +91,69 @@ class CleanerTest(unittest.TestCase):
             b'<math><style>/* deleted */</style></math>',
             lxml.html.tostring(clean_html(s)))
 +    def test_sneaky_import_in_style(self):
 +        # Prevent "@@importimport" -> "@import" replacement.
 +        style_codes = [
 +            "@@importimport(extstyle.css)",
 +            "@ @  import import(extstyle.css)",
 +            "@ @ importimport(extstyle.css)",
 +            "@@  import import(extstyle.css)",
 +            "@ @import import(extstyle.css)",
 +            "@@importimport()",
 +        ]
 +        for style_code in style_codes:
 +            html = '<style>%s</style>' % style_code
 +            s = lxml.html.fragment_fromstring(html)
 +
 +            cleaned = lxml.html.tostring(clean_html(s))
 +            self.assertEqual(
 +                b'<style>/* deleted */</style>',
 +                cleaned,
 +                "%s  ->  %s" % (style_code, cleaned))
 +
 +    def test_svg_data_links(self):
 +        # Remove SVG images with potentially insecure content.
 +        svg = b'<svg onload="alert(123)" />'
 +        svgz = gzip.compress(svg)
 +        svg_b64 = base64.b64encode(svg).decode('ASCII')
 +        svgz_b64 = base64.b64encode(svgz).decode('ASCII')
 +        urls = [
 +            "data:image/svg+xml;base64," + svg_b64,
 +            "data:image/svg+xml-compressed;base64," + svgz_b64,
 +        ]
 +        for url in urls:
 +            html = '<img src="%s">' % url
 +            s = lxml.html.fragment_fromstring(html)
 +
 +            cleaned = lxml.html.tostring(clean_html(s))
 +            self.assertEqual(
 +                b'<img src="">',
 +                cleaned,
 +                "%s  ->  %s" % (url, cleaned))
 +
 +    def test_image_data_links(self):
 +        data = b'123'
 +        data_b64 = base64.b64encode(data).decode('ASCII')
 +        urls = [
 +            "data:image/jpeg;base64," + data_b64,
 +            "data:image/apng;base64," + data_b64,
 +            "data:image/png;base64," + data_b64,
 +            "data:image/gif;base64," + data_b64,
 +            "data:image/webp;base64," + data_b64,
 +            "data:image/bmp;base64," + data_b64,
 +            "data:image/tiff;base64," + data_b64,
 +            "data:image/x-icon;base64," + data_b64,
 +        ]
 +        for url in urls:
 +            html = '<img src="%s">' % url
 +            s = lxml.html.fragment_fromstring(html)
 +
 +            cleaned = lxml.html.tostring(clean_html(s))
 +            self.assertEqual(
 +                html.encode("UTF-8"),
 +                cleaned,
 +                "%s  ->  %s" % (url, cleaned))
 +
     def test_formaction_attribute_in_button_input(self):
         # The formaction attribute overrides the form's action and should be
         # treated as a malicious link attribute
--- a/SOURCES/CVE-2022-2309.patch
+++ b/SOURCES/CVE-2022-2309.patch
@ -0,0 +1,104 @@
 diff --git a/src/lxml/apihelpers.pxi b/src/lxml/apihelpers.pxi
 index 5eb3416..88a031d 100644
 --- a/src/lxml/apihelpers.pxi
 +++ b/src/lxml/apihelpers.pxi
@@ -246,9 +246,10 @@ cdef dict _build_nsmap(xmlNode* c_node):
     while c_node is not NULL and c_node.type == tree.XML_ELEMENT_NODE:
         c_ns = c_node.nsDef
         while c_ns is not NULL:
 -            prefix = funicodeOrNone(c_ns.prefix)
 -            if prefix not in nsmap:
 -                nsmap[prefix] = funicodeOrNone(c_ns.href)
 +            if c_ns.prefix or c_ns.href:
 +                prefix = funicodeOrNone(c_ns.prefix)
 +                if prefix not in nsmap:
 +                    nsmap[prefix] = funicodeOrNone(c_ns.href)
             c_ns = c_ns.next
         c_node = c_node.parent
     return nsmap
 diff --git a/src/lxml/includes/xmlparser.pxd b/src/lxml/includes/xmlparser.pxd
 index a196e34..45acfc8 100644
 --- a/src/lxml/includes/xmlparser.pxd
 +++ b/src/lxml/includes/xmlparser.pxd
@@ -144,6 +144,7 @@ cdef extern from "libxml/parser.h":
         void* userData
         int* spaceTab
         int spaceMax
 +        int nsNr
         bint html
         bint progressive
         int inSubset
 diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi
 index 4c20506..3da7485 100644
 --- a/src/lxml/iterparse.pxi
 +++ b/src/lxml/iterparse.pxi
@@ -419,7 +419,7 @@ cdef int _countNsDefs(xmlNode* c_node):
     count = 0
     c_ns = c_node.nsDef
     while c_ns is not NULL:
 -        count += 1
 +        count += (c_ns.href is not NULL)
         c_ns = c_ns.next
     return count
@@ -430,9 +430,10 @@ cdef int _appendStartNsEvents(xmlNode* c_node, list event_list) except -1:
     count = 0
     c_ns = c_node.nsDef
     while c_ns is not NULL:
 -        ns_tuple = (funicode(c_ns.prefix) if c_ns.prefix is not NULL else '',
 -                    funicode(c_ns.href))
 -        event_list.append( (u"start-ns", ns_tuple) )
 -        count += 1
 +        if c_ns.href:
 +            ns_tuple = (funicodeOrEmpty(c_ns.prefix),
 +                        funicode(c_ns.href))
 +            event_list.append( (u"start-ns", ns_tuple) )
 +            count += 1
         c_ns = c_ns.next
     return count
 diff --git a/src/lxml/parser.pxi b/src/lxml/parser.pxi
 index 3ed223b..f5ff6b2 100644
 --- a/src/lxml/parser.pxi
 +++ b/src/lxml/parser.pxi
@@ -569,6 +569,9 @@ cdef class _ParserContext(_ResolverContext):
                 self._c_ctxt.disableSAX = 0 # work around bug in libxml2
             else:
                 xmlparser.xmlClearParserCtxt(self._c_ctxt)
 +                # work around bug in libxml2 [2.9.10 .. 2.9.14]:
 +                # https://gitlab.gnome.org/GNOME/libxml2/-/issues/378
 +                self._c_ctxt.nsNr = 0
     cdef int prepare(self, bint set_document_loader=True) except -1:
         cdef int result
 diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py
 index 42613dc..db1f560 100644
 --- a/src/lxml/tests/test_etree.py
 +++ b/src/lxml/tests/test_etree.py
@@ -1459,6 +1459,27 @@ class ETreeOnlyTestCase(HelperTestCase):
             [1,2,1,4],
             counts)
 +    def test_walk_after_parse_failure(self):
 +        # This used to be an issue because libxml2 can leak empty namespaces
 +        # between failed parser runs.  iterwalk() failed to handle such a tree.
 +        parser = etree.XMLParser()
 +
 +        try:
 +            etree.XML('''<anot xmlns="1">''', parser=parser)
 +        except etree.XMLSyntaxError:
 +            pass
 +        else:
 +            assert False, "invalid input did not fail to parse"
 +
 +        et = etree.XML('''<root>  </root>''', parser=parser)
 +        try:
 +            ns = next(etree.iterwalk(et, events=('start-ns',)))
 +        except StopIteration:
 +            # This would be the expected result, because there was no namespace
 +            pass
 +        else:
 +            assert False, "Found unexpected namespace '%s'" % ns
 +
     def test_itertext_comment_pi(self):
         # https://bugs.launchpad.net/lxml/+bug/1844674
         XML = self.etree.XML
--- a/SPECS/python-lxml.spec
+++ b/SPECS/python-lxml.spec
@ -1,39 +1,25 @@
 %global modname lxml
 %bcond_with python2
 Name:           python-%{modname}
-Version:        4.4.1
+Version:        4.6.5
-Release:        7%{?dist}
+Release:        3%{?dist}
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
-License:        BSD
+# The lxml project is licensed under BSD
 # Some code is derived from ElementTree and cElementTree
 # thus using the MIT-like elementtree license
 # .xsl schematron files are under the MIT and zlib license
 License:        BSD and MIT and zlib
 URL:            https://github.com/lxml/lxml
-Source0:        https://lxml.de/files/%{modname}-%{version}.tgz
+Source0:        %{pypi_source %{modname}}
-
+
-# Fix for CVE-2020-27783: mXSS due to the use of improper parser
+# Fix for CVE-2022-2309
-# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1901633
+# Resolved upstream:
-# Two upstream commits combined:
+# https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f
-#   Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
+# https://github.com/lxml/lxml/commit/d01872ccdf7e1e5e825b6c6292b43e7d27ae5fc4
-#   Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
+# https://github.com/lxml/lxml/commit/c742576c105f40fc8b754fcae56fee4aa35840a3
-Patch0:         CVE-2020-27783.patch
+# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2107571
-
+Patch0:         CVE-2022-2309.patch
 # Fix for CVE-2021-28957: missing input sanitization
 # for formaction HTML5 attributes which may lead to XSS
 # Fixed upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
 Patch1: CVE-2021-28957.patch
 # Fix for CVE-2021-43818: HTML Cleaner allows crafted
 # and SVG embedded scripts to pass through
 # Fixed upstream:
 # https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
 # https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
 Patch2: CVE-2021-43818.patch
 # Exclude i686 arch. Due to a modularity issue it's being added to the
 # x86_64 compose of CRB, but we don't want to ship it at all.
 # See: https://projects.engineering.redhat.com/browse/RCM-72605
 ExcludeArch: i686
 BuildRequires:  gcc
 BuildRequires:  libxml2-devel
@ -48,29 +34,27 @@ home page < or see our bug tracker at case you want to use the current ...
 %description %{_description}
-%package -n     python%{python3_pkgversion}-%{modname}
+%package -n     python3-%{modname}
 Summary:        %{summary}
-BuildRequires:  python%{python3_pkgversion}-devel
+BuildRequires:  python3-devel
-BuildRequires:  python%{python3_pkgversion}-setuptools
+BuildRequires:  python3-setuptools
-BuildRequires:  python%{python3_pkgversion}-Cython
+BuildRequires:  python3-Cython
 BuildRequires:  python%{python3_pkgversion}-rpm-macros
 Suggests:       python%{python3_version}dist(cssselect) >= 0.7
 Suggests:       python%{python3_version}dist(html5lib)
 Suggests:       python%{python3_version}dist(beautifulsoup4)
-%{?python_provide:%python_provide python%{python3_pkgversion}-%{modname}}
+%{?python_provide:%python_provide python3-%{modname}}
-%description -n python%{python3_pkgversion}-%{modname} %{_description}
+%description -n python3-%{modname} %{_description}
 Python 3 version.
 %prep
-%autosetup -p1 -n %{modname}-%{version}
+%autosetup -n %{modname}-%{version} -p1
 # Remove pregenerated Cython C sources
 find -type f -name '*.c' -print -delete
 %build
-export WITH_CYTHON=true
+env WITH_CYTHON=true %py3_build
 %py3_build
 %install
 %py3_install
@ -82,30 +66,70 @@ cp -a build/lib.%{python3_platform}-%{python3_version}/* src/
 # The options are: verbose, unit, functional
 %{python3} test.py -vuf
-%files -n python%{python3_pkgversion}-%{modname}
+%files -n python3-%{modname}
-%license doc/licenses/ZopePublicLicense.txt LICENSES.txt
+%license LICENSES.txt doc/licenses/BSD.txt doc/licenses/elementtree.txt
 %doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
 %{python3_sitearch}/%{modname}/
 %{python3_sitearch}/%{modname}-*.egg-info/
 %changelog
-* Thu Jan 06 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.4.1-7
+* Wed Jul 27 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.6.5-3
- Security fix for CVE-2021-43818
+- Security fix for CVE-2022-2309
-Resolves: rhbz#2032569
+- Resolves: rhbz#2107571
-
+
-* Wed Mar 24 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.4.1-6
+* Tue Feb 08 2022 Tomas Orsava <torsava@redhat.com> - 4.6.5-2
- Security fix for CVE-2021-28957
+- Add automatically generated Obsoletes tag with the python39- prefix
  for smoother upgrade from RHEL8
 - Related: rhbz#1990421
 * Thu Jan 06 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.6.5-1
 - Update to 4.6.5
 - Fixes CVE-2021-43818
 - Resolves: rhbz#2032569
 * Fri Nov 26 2021 Miro Hrončok <mhroncok@redhat.com> - 4.6.3-5
 - Run the tests during build
 - Resolves: rhbz#2026941
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 4.6.3-3
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
 * Thu Jun 03 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.6.3-2
 - Update the license information
 * Thu May 20 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.6.3-1
 - Update to 4.6.3
 - Fixes CVE-2021-28957
 Resolves: rhbz#1941534
-* Thu Dec 03 2020 Lumír Balhar <lbalhar@redhat.com> - 4.4.1-5
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 4.6.2-3
- Security fix for CVE-2020-27783: mXSS due to the use of improper parser
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-Resolves: rhbz#1901633
+
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Tue Dec 01 2020 Miro Hrončok <mhroncok@redhat.com> - 4.6.2-1
 - Update to 4.6.2
 - Fixes CVE-2020-27783 and another vulnerability in the HTML Cleaner
 - Fixes: rhbz#1855415
 - Fixes: rhbz#1901634
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.5.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Mon Jun 01 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 4.5.1-1
 - Update to 4.5.1
 * Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 4.4.1-5
 - Rebuilt for Python 3.9
-* Thu Dec 12 2019 Tomas Orsava <torsava@redhat.com> - 4.4.1-4
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.1-4
- Exclude unsupported i686 arch
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-* Wed Nov 20 2019 Lumír Balhar <lbalhar@redhat.com> - 4.4.1-3
+* Wed Nov 20 2019 Miro Hrončok <mhroncok@redhat.com> - 4.4.1-3
- Adjusted for Python 3.8 module in RHEL 8
+- Subpackage python2-lxml has been removed
  See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
 * Sat Sep 07 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.4.1-2
 - Generate C files using py3 Cython
`@ -1 +1 @@`
	`SOURCES/lxml-4.4.1.tgz`	`SOURCES/lxml-4.6.5.tar.gz`
`@ -1 +1 @@`
	`96e0239b6524cb376f4f4d440e84da82691d278a SOURCES/lxml-4.4.1.tgz`	`04a3ed4d33a511b5796880461b0edb6f3b144547 SOURCES/lxml-4.6.5.tar.gz`