8000 Upgrade our bundled copy of libexpat to the latest (2.4.9?) · Issue #97005 · python/cpython · GitHub
[go: up one dir, main page]
Skip to content

Upgrade our bundled copy of libexpat to the latest (2.4.9?) #97005

New issue

Have a question about this 8000 project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gpshead opened this issue Sep 22, 2022 · 3 comments
Closed

Upgrade our bundled copy of libexpat to the latest (2.4.9?) #97005

gpshead opened this issue Sep 22, 2022 · 3 comments
Labels
3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes 3.12 only security fixes topic-XML type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@gpshead
Copy link
Member
gpshead commented Sep 22, 2022

There have been important security fixes in libexpat since our update to 2.4.7. Such as one for https://nvd.nist.gov/vuln/detail/CVE-2022-40674.

This likely impacts our binary releases that use our bundled expat libraries (Windows and macOS?) the most. Some OS distro Python packages often link against their own expat package which they've probably already patched.
@gpshead gpshead added type-bug An unexpected behavior, bug, or error type-security A security issue 3.11 only security fixes 3.10 only security fixes 3.9 only security fixes 3.8 (EOL) end of life 3.7 (EOL) end of life 3.12 only security fixes labels Sep 22, 2022
@gpshead
Copy link
Member Author
gpshead commented Sep 22, 2022

I did not look to see if our use of libexpat actually allows the CVE in question to be triggered. If so that suggests we should do this sooner rather than later, but it is good for us to stay up to date in a timely fashion regardless.

@corona10
Copy link
Member

cc @hartwork

@bedevere-bot bedevere-bot mentioned this issue Sep 22, 2022
Merged
corona10 added a commit to corona10/cpython that referenced this issue Sep 22, 2022
@corona10
pythongh-97005: Update libexpat from 2.4.7 to 2.4.9
cd6321b
corona10 added a commit to corona10/cpython that referenced this issue Sep 22, 2022
@corona10
pythongh-97005: Update libexpat from 2.4.7 to 2.4.9
4df6616
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 22, 2022
@corona10 @miss-islington
pythongh-97005: Update libexpat from 2.4.7 to 2.4.9 (pythongh-97006)
450a77d 
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d39)

Co-authored-by: Dong-hee Na <donghee.na@python.org>
@bedevere-bot bedevere-bot mentioned this issue Sep 22, 2022
Merged
corona10 added a commit that referenced this issue Sep 22, 2022
@corona10 @gpshead
gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006)
10e3d39 
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 22, 2022
@corona10 @miss-islington
pythongh-97005: Update libexpat from 2.4.7 to 2.4.9 (pythongh-97006)
7916bed 
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d39)

Co-authored-by: Dong-hee Na <donghee.na@python.org>
@bedevere-bot bedevere-bot mentioned this issue Sep 22, 2022
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 22, 2022
@corona10 @miss-islington
pythongh-97005: Update libexpat from 2.4.7 to 2.4.9 (pythongh-97006)
71bc5cd 
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d39)

Co-authored-by: Dong-hee Na <donghee.na@python.org>
@bedevere-bot bedevere-bot mentioned this issue Sep 22, 2022
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 22, 2022
@corona10 @miss-islington
pythongh-97005: Update libexpat from 2.4.7 to 2.4.9 (pythongh-97006)
b6a9c32 
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d39)

Co-authored-by: Dong-hee Na <donghee.na@python.org>
This was referenced Sep 22, 2022
Merged
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 22, 2022
@corona10 @miss-islington
pythongh-97005: Update libexpat from 2.4.7 to 2.4.9 (pythongh-97006)
ed737af 
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d39)

Co-authored-by: Dong-hee Na <donghee.na@python.org>
miss-islington added a commit that referenced this issue Sep 22, 2022
@miss-islington @corona10
gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006)
6d9905f 
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d39)

Co-authored-by: Dong-hee Na <donghee.na@python.org>
miss-islington added a commit that referenced this issue Sep 22, 2022
@miss-islington @corona10
gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006)
c967049 
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d39)

Co-authored-by: Dong-hee Na <donghee.na@python.org>
@hartwork hartwork mentioned this issue Sep 22, 2022
Closed
27 tasks
ambv pushed a commit that referenced this issue Oct 4, 2022
@miss-islington @corona10 @ned-deily
[3.9] gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) (gh-97012
9b409e4 
)

gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006)

Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d39)

Co-authored-by: Dong-hee Na <donghee.na@python.org>
Co-authored-by: Ned Deily <nad@python.org>
ambv pushed a commit that referenced this issue Oct 4, 2022
@miss-islington @corona10
[3.8] gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) (gh-97013
069b718 
)

gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006)

Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d39)

Co-authored-by: Dong-hee Na <donghee.na@python.org>
ambv pushed a commit that referenced this issue Oct 5, 2022
@miss-islington @corona10
[3.7] gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) (#97014)
46796ed 
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d39)

Co-authored-by: Dong-hee Na <donghee.na@python.org>
@corona10
Copy link
Member
corona10 commented Oct 6, 2022

We can close this issue now :)

@corona10 corona10 closed this as completed Oct 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes 3.12 only security fixes topic-XML type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mdboom @gpshead @corona10
0