Skip to content

Update lxml to 6.0.2 on Windows#68734

Open
twangboy wants to merge 1 commit intosaltstack:3006.xfrom
twangboy:topic/blackduck/libxml2_win
Open

Update lxml to 6.0.2 on Windows#68734
twangboy wants to merge 1 commit intosaltstack:3006.xfrom
twangboy:topic/blackduck/libxml2_win

Conversation

@twangboy
Copy link
Contributor

@twangboy twangboy commented Feb 14, 2026
edited
Loading

What does this PR do?

BlackDuck is detecting libxml2 2.9.12 on Windows. This will update the lxml library which has a newer version of libxml2.

While the version number 2.11.9 looks lower than the required 2.12.10, the lxml maintainers use backpatched versions of the 2.11 branch for their Windows builds to maintain compatibility while fixing these specific CVEs (including CVE-2024-56171).

This also patches some other libraries:

Component Version in lxml 4.9.1 Version in lxml 6.0.2 Status
libxml2 2.9.12 2.11.9 (Patched) Fixed (CVE-2024-56171)
zlib 1.2.11 1.2.12 or higher Fixed (CVE-2018-25032)
libxslt 1.1.34 1.1.39 Updated

From lxml 5.4 Release notes:
5.4.0 (2025-04-22)
Bugs fixed
LP#2107279: Binary wheels use libxml2 2.13.8 and libxslt 1.1.43 to resolve several CVEs. (Binary wheels for Windows continue to use a patched libxml2 2.11.9 and libxslt 1.1.39.) Issue found by Anatoly Katyushin.

Merge requirements satisfied?

[NOTICE] Bug fixes or features added to Salt require tests.

Commits signed with GPG?

Yes

@twangboy twangboy requested a review from a team as a code owner February 14, 2026 01:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@twangboy