classification
Title: Update expat to 2.1.1
Type: security Stage: resolved
Components: Extension Modules, XML Versions: Python 3.6, Python 3.5, Python 3.3, Python 3.4, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Brian Martin, benjamin.peterson, christian.heimes, georg.brandl, larry, mirko.dziadzka, ned.deily, python-dev
Priority: release blocker Keywords:

Created on 2016-03-14 10:31 by christian.heimes, last changed 2016-06-21 21:59 by Carson Lam. This issue is now closed.

Messages (10)
msg261741 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-03-14 10:31
A new version of expat has been released. 2.2.1 addressed CVE-2015-1283.
msg262020 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2016-03-19 06:51
Christian: Is that CVE the same crash as reported by mail by Gustavo Grieco?
msg262058 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-03-19 20:26
No, the other problem is CVE-2016-0718. We are still looking into the matter.
msg265425 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2016-05-12 20:38
Any progress on this?  It is still flagged as a Release Blocker and releases are approaching.
msg265426 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-05-12 20:51
Another critical bug fix will be released next Tuesday.
msg267619 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2016-06-07 10:26
Was this critical bug fix released on May 17th as promised?

I will not hold up 3.5.2 for this.  3.5.2 has waited long enough.
msg267697 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-06-07 15:42
There is another security release for expat planned, but we can skip it for now. I'll provide a patch for Python 2 and 3 with 2.1.1 by tomorrow.
msg268069 - (view) Author: Brian Martin (Brian Martin) Date: 2016-06-09 23:55
Per http://expat.sourceforge.net/, version 2.1.1 fixes CVE-2015-1283, not 2.2.1 as mentioned in a comment.
msg268202 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2016-06-11 08:52
Christian: I don't see any checkins on this issue, and I tag 3.4.4 rc1 and 3.5.2 rc1 in about twelve hours.  As I mentioned to you in person at the PyCon 2016 sprints, I'm not holding up either of these releases for the expat update.  If this is still open when it's time for me to tag those releases, I'll flip this to "deferred blocker".
msg268268 - (view) Author: Roundup Robot (python-dev) Date: 2016-06-11 20:35
New changeset d8a0a016d8d4 by Benjamin Peterson in branch '2.7':
upgrade expt to 2.1.1 (closes #26556)
https://hg.python.org/cpython/rev/d8a0a016d8d4

New changeset bb3ce78572f5 by Benjamin Peterson in branch '3.4':
upgrade expt to 2.1.1 (closes #26556)
https://hg.python.org/cpython/rev/bb3ce78572f5

New changeset f3c36afdedae by Benjamin Peterson in branch '3.5':
merge 3.4 (#26556)
https://hg.python.org/cpython/rev/f3c36afdedae

New changeset 77353f0106cc by Benjamin Peterson in branch 'default':
merge 3.5 (#26556)
https://hg.python.org/cpython/rev/77353f0106cc
History
Date User Action Args
2016-06-21 21:59:59Carson Lamsettitle: Update expat to 2.2.1 -> Update expat to 2.1.1
2016-06-11 20:35:41python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg268268

resolution: fixed
stage: needs patch -> resolved
2016-06-11 08:52:02larrysetmessages: + msg268202
2016-06-09 23:55:40Brian Martinsetnosy: + Brian Martin
messages: + msg268069
2016-06-07 15:42:32christian.heimessetmessages: + msg267697
2016-06-07 10:26:32larrysetmessages: + msg267619
2016-05-31 12:15:29mirko.dziadzkasetnosy: + mirko.dziadzka
2016-05-12 20:51:13christian.heimessetmessages: + msg265426
2016-05-12 20:38:29ned.deilysetmessages: + msg265425
2016-05-12 20:32:45ned.deilysetnosy: + ned.deily
2016-03-19 20:26:24christian.heimessetmessages: + msg262058
2016-03-19 06:51:10larrysetmessages: + msg262020
2016-03-14 10:31:35christian.heimescreate