This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Uche Ogbuji
Recipients Uche Ogbuji
Date 2019-09-14.20:10:06
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
cpython bundles expat in Modules/expat/ and needs to be updated to expat-2.2.8 to security vulnerability CVE-2019-15903.

From Sebastian Pipping on XML-DEV ML:

Expat 2.2.8 [1] has been released yesterday.  This release fixes a
security issue — a heap buffer over-read known as CVE-2019-15903 [2]
reported by Joonun Jang resulting in Denial of Service —, starts using
the rand_s function on Windows and MinGW (ending the previous
LoadLibrary hack), includes non-security bugfixes, many build system
fixes and improvements, improvements to xmlwf usability, and more.

For more details regarding the latest release, please check out the
changelog [3].

If you maintain Expat packaging or a bundled copy of Expat or a pinned
version of Expat somewhere, please update to 2.2.8.  Thank you!

Date User Action Args
2019-09-14 20:10:07Uche Ogbujisetrecipients: + Uche Ogbuji
2019-09-14 20:10:07Uche Ogbujisetmessageid: <>
2019-09-14 20:10:07Uche Ogbujilinkissue38174 messages
2019-09-14 20:10:06Uche Ogbujicreate