diff --git a/.gitignore b/.gitignore
index 20f261f..70e2bc6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/lxml-4.6.2.tar.gz
+SOURCES/lxml-4.6.5.tar.gz
diff --git a/.python-lxml.metadata b/.python-lxml.metadata
index 5eb4d34..fcf7f24 100644
--- a/.python-lxml.metadata
+++ b/.python-lxml.metadata
@@ -1 +1 @@
-ab5b8053945d1404b4e54cfd62afc38c8b62aa0c SOURCES/lxml-4.6.2.tar.gz
+04a3ed4d33a511b5796880461b0edb6f3b144547 SOURCES/lxml-4.6.5.tar.gz
diff --git a/SOURCES/CVE-2021-28957.patch b/SOURCES/CVE-2021-28957.patch
deleted file mode 100644
index 0368606..0000000
--- a/SOURCES/CVE-2021-28957.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
-index caf6b21..ea3c016 100644
---- a/src/lxml/html/defs.py
-+++ b/src/lxml/html/defs.py
-@@ -21,6 +21,8 @@ link_attrs = frozenset([
- 'usemap',
- # Not standard:
- 'dynsrc', 'lowsrc',
-+ # HTML5 formaction
-+ 'formaction'
- ])
-
- # Not in the HTML 4 spec:
-diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
-index 451eec2..e40cdad 100644
---- a/src/lxml/html/tests/test_clean.py
-+++ b/src/lxml/html/tests/test_clean.py
-@@ -89,6 +89,21 @@ class CleanerTest(unittest.TestCase):
- b'',
- lxml.html.tostring(clean_html(s)))
-
-+ def test_formaction_attribute_in_button_input(self):
-+ # The formaction attribute overrides the form's action and should be
-+ # treated as a malicious link attribute
-+ html = (''
-+ '')
-+ expected = ('
'
-+ '
')
-+ cleaner = Cleaner(
-+ forms=False,
-+ safe_attrs_only=False,
-+ )
-+ self.assertEqual(
-+ expected,
-+ cleaner.clean_html(html))
-+
-
- def test_suite():
- suite = unittest.TestSuite()
diff --git a/SPECS/python-lxml.spec b/SPECS/python-lxml.spec
index 0111e56..655b928 100644
--- a/SPECS/python-lxml.spec
+++ b/SPECS/python-lxml.spec
@@ -1,19 +1,14 @@
%global modname lxml
Name: python-%{modname}
-Version: 4.6.2
-Release: 3%{?dist}
+Version: 4.6.5
+Release: 1%{?dist}
Summary: XML processing library combining libxml2/libxslt with the ElementTree API
License: BSD
URL: https://github.com/lxml/lxml
Source0: %{pypi_source %{modname}}
-# Fix for CVE-2021-28957: missing input sanitization
-# for formaction HTML5 attributes which may lead to XSS
-# Fixed upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
-Patch1: CVE-2021-28957.patch
-
# Exclude i686 arch. Due to a modularity issue it's being added to the
# x86_64 compose of CRB, but we don't want to ship it at all.
# See: https://projects.engineering.redhat.com/browse/RCM-72605
@@ -53,25 +48,31 @@ Python 3 version.
find -type f -name '*.c' -print -delete
%build
-env WITH_CYTHON=true %py3_build
+export WITH_CYTHON=true
+%py3_build
%install
%py3_install
%check
-# The test invocation below actually runs 0 tests.
-# Fedora BZ for this problem: https://bugzilla.redhat.com/show_bug.cgi?id=1918626
-# We have been unable to make the tests run properly in the spec file, but the
-# test suite is being run as part of the QE tests and gating.
-%{__python3} setup.py test
+# The tests assume inplace build, so we copy the built library to source-dir.
+# If not done that, Python can either import the tests or the extension modules, but not both.
+cp -a build/lib.%{python3_platform}-%{python3_version}/* src/
+# The options are: verbose, unit, functional
+%{python3} test.py -vuf
%files -n python%{python3_pkgversion}-%{modname}
-%license doc/licenses/ZopePublicLicense.txt LICENSES.txt
+%license LICENSES.txt
%doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
%{python3_sitearch}/%{modname}/
%{python3_sitearch}/%{modname}-*.egg-info/
%changelog
+* Thu Jan 06 2022 Charalampos Stratakis - 4.6.5-1
+- Update to 4.6.5
+- Security fix for CVE-2021-43818
+Resolves: rhbz#2032569
+
* Wed Mar 24 2021 Charalampos Stratakis - 4.6.2-3
- Security fix for CVE-2021-28957
Resolves: rhbz#1941534