This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients Arfrever, barry, benjamin.peterson, christian.heimes, djc, eli.bendersky, ezio.melotti, franck, georg.brandl, jwilk, larry, martin.panter, mcepl, ned.deily, pitrou, rhettinger, rsandwick3, scoder, serhiy.storchaka, steve.dower, vstinner
Date 2018-09-18.14:14:29
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
> * only Windows and macOS will get the fix

Modules/expat can be used on all platforms. A downstream patch is only a problem for platforms that compile Python with "./configure --with-system-expat".

The security fixes for entity expansion blowup and external entity loading are backwards incompatible fixes. Technically they also violate XML standards. In practice the vast majority of users will never run into the issue, because external entities are scarcely used. The expat parser is a non-validating XML parser, so DTDs aren't useful at all. I'd rather break a handful of users than to keep the majority of users vulnerable.

To fix billion laughs and quadratic blowup once and for all, we also have to break backwards compatibility and require expat >= 2.3.0. For now the modules still work with old versions of expat. IMO it's fine. Vendors either have to update their libraries or use our copy of expat.

Ultimately it's Benjamin's, Larry's, and Ned's decision. They are release managers.
Date User Action Args
2018-09-18 14:14:29christian.heimessetrecipients: + christian.heimes, barry, georg.brandl, rhettinger, pitrou, scoder, vstinner, larry, benjamin.peterson, jwilk, ned.deily, djc, mcepl, ezio.melotti, Arfrever, eli.bendersky, martin.panter, serhiy.storchaka, franck, steve.dower, rsandwick3
2018-09-18 14:14:29christian.heimessetmessageid: <>
2018-09-18 14:14:29christian.heimeslinkissue17239 messages
2018-09-18 14:14:29christian.heimescreate