Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960) #90558

Closed
hartwork mannequin opened this issue Jan 16, 2022 · 12 comments
Closed

Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960) #90558

hartwork mannequin opened this issue Jan 16, 2022 · 12 comments
Labels
3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes topic-XML type-security A security issue

Comments

@hartwork
Copy link
Mannequin

hartwork mannequin commented Jan 16, 2022

BPO 46400
Nosy @ned-deily, @ambv, @hartwork, @corona10, @miss-islington
PRs
  • bpo-46400: Update libexpat from 2.4.1 to 2.4.4 #31022
  • [3.9] bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) #31295
  • [3.10] bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) #31296
  • [3.8] bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) #31297
  • [3.7] bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) #31298
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2022-02-21.18:47:10.917>
created_at = <Date 2022-01-16.16:32:40.967>
labels = ['type-security', '3.8', '3.9', '3.10', '3.11', 'expert-XML', '3.7']
title = 'Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)'
updated_at = <Date 2022-02-21.18:47:10.917>
user = 'https://github.com/hartwork'

    bugs.python.org fields:

    activity = <Date 2022-02-21.18:47:10.917>
actor = 'ned.deily'
assignee = 'none'
closed = True
closed_date = <Date 2022-02-21.18:47:10.917>
closer = 'ned.deily'
components = ['XML']
creation = <Date 2022-01-16.16:32:40.967>
creator = 'sping'
dependencies = []
files = []
hgrepos = []
issue_num = 46400
keywords = ['patch']
message_count = 12.0
messages = ['410700', '411061', '412117', '413132', '413133', '413457', '413458', '413529', '413550', '413551', '413656', '413668']
nosy_count = 7.0
nosy_names = ['ned.deily', 'lukasz.langa', 'python-dev', 'sping', 'corona10', 'miss-islington', 'thomgree']
pr_nums = ['31022', '31295', '31296', '31297', '31298']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue46400'
versions = ['Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10', 'Python 3.11']
    @hartwork
    Copy link
    Mannequin Author

    hartwork mannequin commented Jan 16, 2022

    Expat 2.4.3 released, includes security fixes
    https://blog.hartwork.org/posts/expat-2-4-3-released/

    Thank you!

    PS: This is similar to bpo-44394 excect now it's 2.4.3.

    @hartwork hartwork mannequin added 3.7 (EOL) end of life 3.8 only security fixes 3.10 only security fixes 3.11 only security fixes 3.9 only security fixes topic-XML type-security A security issue labels Jan 16, 2022
    @hartwork hartwork mannequin changed the title Please updated bundled libexpat to 2.4.3 with security fixes Please update bundled libexpat to 2.4.3 with security fixes Jan 16, 2022
    @hartwork hartwork mannequin changed the title Please updated bundled libexpat to 2.4.3 with security fixes Please update bundled libexpat to 2.4.3 with security fixes Jan 16, 2022
    @ned-deily
    Copy link
    Member

    The bundled expat is potentially used by all Python builds, not just Windows or Mac builds.

    @hartwork
    Copy link
    Mannequin Author

    hartwork mannequin commented Jan 30, 2022

    2.4.4 with more security fixes has been released, adjusting the ticket to be about updating to 2.4.4 now.

    @hartwork hartwork mannequin changed the title Please update bundled libexpat to 2.4.3 with security fixes Please update bundled libexpat to 2.4.4 with security fixes Jan 30, 2022
    @hartwork hartwork mannequin changed the title Please update bundled libexpat to 2.4.3 with security fixes Please update bundled libexpat to 2.4.4 with security fixes Jan 30, 2022
    @vstinner vstinner changed the title Please update bundled libexpat to 2.4.4 with security fixes Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960) Feb 11, 2022
    @vstinner vstinner changed the title Please update bundled libexpat to 2.4.4 with security fixes Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960) Feb 11, 2022
    @corona10 corona10 removed 3.7 (EOL) end of life 3.8 only security fixes labels Feb 12, 2022
    @hartwork
    Copy link
    Mannequin Author

    hartwork mannequin commented Feb 12, 2022

    Just to understand, why has Python 3.7 and 3.8 been dropped? Neither seems to be end-of-life but affected. Thank you!

    @corona10
    Copy link
    Member

    New changeset 8aaaf7e by Cyril Jouve in branch 'main':
    bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022)
    8aaaf7e

    @corona10 corona10 added the 3.7 (EOL) end of life label Feb 12, 2022
    @corona10 corona10 added 3.8 only security fixes 3.7 (EOL) end of life labels Feb 12, 2022
    @corona10
    Copy link
    Member

    New changeset cb7551d by Dong-hee Na in branch '3.10':
    bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) (GH-31296)
    cb7551d

    @corona10
    Copy link
    Member

    New changeset e782890 by Miss Islington (bot) in branch '3.9':
    bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) (GH-31295)
    e782890

    @ned-deily
    Copy link
    Member

    expat 2.4.5 was released today (bpo-46794).

    @hartwork
    Copy link
    Mannequin Author

    hartwork mannequin commented Feb 19, 2022

    Yes, I have already created bpo-46794 for 2.4.5.

    @hartwork
    Copy link
    Mannequin Author

    hartwork mannequin commented Feb 19, 2022

    Overlooked your reference, so you already know, my bad, nevermind.

    @ambv
    Copy link
    Contributor

    ambv commented Feb 21, 2022

    New changeset c60414d by Dong-hee Na in branch '3.8':
    bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) (GH-31297)
    c60414d

    @ned-deily
    Copy link
    Member

    New changeset 5fdacac by Dong-hee Na in branch '3.7':
    bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) (GH-31298)
    5fdacac

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes topic-XML type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    3 participants
    @ambv @corona10 @ned-deily