Author gregory.p.smith
Recipients Arfrever, Jim.Jewett, amaury.forgeotdarc, barry, benjamin.peterson, dmalcolm, georg.brandl, gregory.p.smith, pitrou
Date 2012-03-16.21:28:25
SpamBayes Score 4.65357e-06
Marked as misclassified No
Message-id <>
As pointed out in #14234, our embedded copy of expat used by pyexpat for xml parsing in Modules/expat/ is out of date.  There have been many fixes to expat that we have not applied including a few potential crash and security fixes.

We should upgrade it wholesale to the latest version for 3.3.

Someone should also audit expat changes to see if there are security fixes for expat that should be backported to 2.6/2.7/3.1/3.2 as platforms without a system expat such as Windows (and 2.6 and 3.1) will contain those problems.

I am marking this a release blocker for 3.3 to ensure expat is updated before then.  I would *not* hold up the existing round of release candidates for this, the next security+bugfix updates can contain these changes.
Date User Action Args
2012-03-16 21:28:26gregory.p.smithsetrecipients: + gregory.p.smith, barry, georg.brandl, amaury.forgeotdarc, pitrou, benjamin.peterson, Arfrever, dmalcolm, Jim.Jewett
2012-03-16 21:28:26gregory.p.smithsetmessageid: <>
2012-03-16 21:28:26gregory.p.smithlinkissue14340 messages
2012-03-16 21:28:25gregory.p.smithcreate