Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade bundled expat to 2.5.0 #98739

Open
scdub opened this issue Oct 26, 2022 · 1 comment
Open

Upgrade bundled expat to 2.5.0 #98739

scdub opened this issue Oct 26, 2022 · 1 comment
Assignees
@ambv @ned-deily
Labels
3.7 3.8 3.9 release-blocker type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@scdub
Copy link
Contributor

scdub commented Oct 26, 2022

Upgrade the bundled libexpat version to 2.5.0 which includes a fix for CVE-2022-43680. I haven't evaluated whether CPython is directly impacted by this CVE, but can confirm that it is detected by binary analysis tools such as Black Duck.

Related libexpat changelog includes additional fixes and details.
@scdub scdub added the type-bug An unexpected behavior, bug, or error label Oct 26, 2022
@scdub scdub mentioned this issue Oct 26, 2022
Merged
@hartwork hartwork mentioned this issue Oct 27, 2022
Closed
27 tasks
@gpshead gpshead added the type-security A security issue label Oct 27, 2022
This was referenced Oct 27, 2022
Merged
Merged
gpshead pushed a commit that referenced this issue Oct 27, 2022
@scdub @scw
gh-98739: Update libexpat from 2.4.9 to 2.5.0 (#98742)
3e07f82 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
372517c 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f827b359617664ad0880f218f17ae4483299)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
ebcf8c5 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f827b359617664ad0880f218f17ae4483299)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
0daf8bf 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f827b359617664ad0880f218f17ae4483299)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
This was referenced Oct 27, 2022
Merged
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
478d221 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
@bedevere-bot bedevere-bot mentioned this issue Oct 27, 2022
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
1112262 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
@gpshead gpshead self-assigned this Oct 27, 2022
@gpshead
Copy link
Member

gpshead commented Oct 27, 2022

Thanks for making the PR! Release branch merges will happen but are pending figuring out why the CLA bot is mistakenly not accepting those on our end.

miss-islington added a commit that referenced this issue Oct 27, 2022
@miss-islington @scdub
gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742)
c5f3f29 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
miss-islington added a commit that referenced this issue Oct 27, 2022
@miss-islington @scdub
gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742)
e77af82 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
@gpshead gpshead assigned ambv and ned-deily and unassigned gpshead Oct 27, 2022
ambv pushed a commit that referenced this issue Oct 28, 2022
@miss-islington
[3.7] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98788)
64e95f2 
Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)
ambv pushed a commit that referenced this issue Oct 28, 2022
@miss-islington
[3.8] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98787)
0037d46 
Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)
ambv pushed a commit that referenced this issue Oct 28, 2022
@miss-islington
[3.9] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98786)
71a075a 
Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)
gvanrossum pushed a commit to gvanrossum/cpython that referenced this issue Oct 28, 2022
@scdub @scw @gvanrossum
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (python#98742)
8f4ca21 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
Assignees

@ambv ambv

@ned-deily ned-deily

Labels
3.7 3.8 3.9 release-blocker type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
Release and Deferred blockers
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ambv @gpshead @ned-deily @scdub