Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade bundled expat to 2.5.0 #98739

Closed
scdub opened this issue Oct 26, 2022 · 2 comments
Closed

Upgrade bundled expat to 2.5.0 #98739

scdub opened this issue Oct 26, 2022 · 2 comments
Assignees
@ambv @ned-deily
Labels
3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only security fixes release-blocker type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@scdub
Copy link
Contributor

scdub commented Oct 26, 2022

Upgrade the bundled libexpat version to 2.5.0 which includes a fix for CVE-2022-43680. I haven't evaluated whether CPython is directly impacted by this CVE, but can confirm that it is detected by binary analysis tools such as Black Duck.

Related libexpat changelog includes additional fixes and details.
@scdub scdub added the type-bug An unexpected behavior, bug, or error label Oct 26, 2022
@scdub scdub mentioned this issue Oct 26, 2022
Merged
@hartwork hartwork mentioned this issue Oct 27, 2022
Closed
27 tasks
@gpshead gpshead added the type-security A security issue label Oct 27, 2022
This was referenced Oct 27, 2022
Merged
Merged
gpshead pushed a commit that referenced this issue Oct 27, 2022
@scdub @scw
gh-98739: Update libexpat from 2.4.9 to 2.5.0 (#98742)
3e07f82 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
372517c 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <[email protected]>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
ebcf8c5 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <[email protected]>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
0daf8bf 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <[email protected]>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <[email protected]>
This was referenced Oct 27, 2022
Merged
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
478d221 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <[email protected]>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <[email protected]>
@bedevere-bot bedevere-bot mentioned this issue Oct 27, 2022
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
1112262 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <[email protected]>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <[email protected]>
@gpshead gpshead self-assigned this Oct 27, 2022
@gpshead
Copy link
Member

gpshead commented Oct 27, 2022

Thanks for making the PR! Release branch merges will happen but are pending figuring out why the CLA bot is mistakenly not accepting those on our end.

@gpshead gpshead moved this from Todo to In Progress in Release and Deferred blockers 🚫 Oct 27, 2022
miss-islington added a commit that referenced this issue Oct 27, 2022
@miss-islington @scdub
gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742)
c5f3f29 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <[email protected]>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <[email protected]>
miss-islington added a commit that referenced this issue Oct 27, 2022
@miss-islington @scdub
gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742)
e77af82 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <[email protected]>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <[email protected]>
@gpshead gpshead added 3.9 only security fixes 3.8 (EOL) end of life 3.7 (EOL) end of life labels Oct 27, 2022
@gpshead gpshead assigned ambv and ned-deily and unassigned gpshead Oct 27, 2022
ambv pushed a commit that referenced this issue Oct 28, 2022
@miss-islington
[3.7] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98788)
64e95f2 
Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <[email protected]>
(cherry picked from commit 3e07f82)
ambv pushed a commit that referenced this issue Oct 28, 2022
@miss-islington
[3.8] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98787)
0037d46 
Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <[email protected]>
(cherry picked from commit 3e07f82)
ambv pushed a commit that referenced this issue Oct 28, 2022
@miss-islington
[3.9] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98786)
71a075a 
Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <[email protected]>
(cherry picked from commit 3e07f82)
gvanrossum pushed a commit to gvanrossum/cpython that referenced this issue Oct 28, 2022
@scdub @scw @gvanrossum
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (python#98742)
8f4ca21 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <[email protected]>
@ned-deily
Copy link
Member

I believe all the backports have been merged and thus we can close this issue.

Repository owner moved this from In Progress to Done in Release and Deferred blockers 🚫 Dec 5, 2022
@scdub scdub mentioned this issue Dec 6, 2022
Closed
@MingcongBai MingcongBai mentioned this issue Dec 13, 2022
Closed
@hartwork hartwork mentioned this issue Feb 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ambv ambv

@ned-deily ned-deily

Labels
3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only security fixes release-blocker type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
Release and Deferred blockers 🚫
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ambv @gpshead @ned-deily @scdub