pythonPackages.lxml: 4.6.2 -> 4.6.3, addressing CVE-2021-28957

[risicle]

Motivation for this change

https://nvd.nist.gov/vuln/detail/CVE-2021-28957

Haven't done a full re-eval yet, have a feeling I'm going to have to retarget this at staging..

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[risicle]

The fix is basically the only patch in 4.6.2 -> 4.6.3, so can happily just cherry-pick to 20.09

[mweinelt]

Haven't done a full re-eval yet, have a feeling I'm going to have to retarget this at staging..

Yep! Looks fine apart from that.

lxml/lxml@lxml-4.6.2...lxml-4.6.3

[risicle]

Sorry, I disable branch editing because having people alter my branches confuses the shit out of me. Rebased/retargeted now.

[risicle]

python38Packages.pandas builds for me on macos 10.14 (tested before the staging switch though)

[r-rmcgibbo]

Result of nixpkgs-review pr 117788 at 7b1807e8 run on x86_64-linux 1

742 packages marked as broken and skipped:

• adobe-reader
• adoptopenjdk-hotspot-bin-13
• adoptopenjdk-hotspot-bin-14
• adoptopenjdk-jre-hotspot-bin-13
• adoptopenjdk-jre-hotspot-bin-14
• adoptopenjdk-jre-openj9-bin-13
• adoptopenjdk-jre-openj9-bin-14
• adoptopenjdk-openj9-bin-13
• adoptopenjdk-openj9-bin-14
• agdaPackages.iowa-stdlib
• ...

19089 packages skipped due to time constraints:

• AusweisApp2
• EBTKS
• EmptyEpsilon
• Fabric
• MIDIVisualizer
• MMA
• OSCAR
• OVMF
• OVMF-CSM
• OVMF-secureBoot
• ...

21 packages built successfully:

• cryptsetup
• desktop-file-utils
• fontconfig
• gd
• glib (gnome2.glib ,gnome3.glib)
• gtk-doc (gnome2.gtkdoc)
• gts
• hidapi
• libfido2
• libusb1
• libva-minimal
• lvm2
• openssh
• python38Packages.fontforge
• python38Packages.lxml
• shared-mime-info
• systemdMinimal
• wayland
• wayland-protocols
• xlibsWrapper (xorg.xlibsWrapper)
• xorg.libXft

---

Result of nixpkgs-review pr 117788 at 7b1807e8 run on aarch64-linux 1

838 packages marked as broken and skipped:

• OVMF-CSM
• adoptopenjdk-hotspot-bin-13
• adoptopenjdk-hotspot-bin-14
• adoptopenjdk-jre-hotspot-bin-13
• adoptopenjdk-jre-hotspot-bin-14
• agdaPackages.iowa-stdlib
• aldor
• alliance
• ams-lv2
• amule
• ...

17151 packages skipped due to time constraints:

• AusweisApp2
• EBTKS
• EmptyEpsilon
• Fabric
• MIDIVisualizer
• MMA
• OVMF
• OVMF-secureBoot
• R
• SDL
• ...

21 packages built successfully:

• cryptsetup
• fontconfig
• gd
• glib (gnome2.glib ,gnome3.glib)
• gtk-doc (gnome2.gtkdoc)
• gts
• hidapi
• libfido2
• libusb1
• libva-minimal
• lvm2
• openssh
• python38Packages.et_xmlfile
• python38Packages.fontforge
• python38Packages.lxml
• shared-mime-info
• systemdMinimal
• wayland
• wayland-protocols
• xlibsWrapper (xorg.xlibsWrapper)
• xorg.libXft

[risicle]

@ofborg eval

[SuperSandro2000]

manual probably fails because the uncached mass rebuild.