New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python's libexpat vulnerable to CVE-2016-0718 #74795
Comments
Python's libexpat library is outdated and vulnerable to CVE-2016-0718 https://sourceforge.net/p/expat/bugs/537/ |
What is the first expat version which isn't vulnerable? I guess that this issue only impacts platforms which don't use --with-system-expat. Linux distributions use the system expat library for example. Currently, the Python master branch embeds a copy of expat 2.1.1: Modules/expat/expat.h
#define XML_MAJOR_VERSION 2
#define XML_MINOR_VERSION 1
#define XML_MICRO_VERSION 1 |
I add this vulnerability to Python security document: |
According to their changelog here https://github.com/libexpat/libexpat/blob/master/expat/Changes |
I have checked in 3.4, 3.5 and 3.6, it's the version 2.1.1 excepted for 2.7, 3.3 it's the version 2.1.0 |
Isn't this a duplicate of bpo-29591 ? |
Yep, it's similar |
I opened a thread on python-dev to ask if we could drop our embedded copy of libexpat: |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: