This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients vstinner
Date 2021-06-11.14:14:07
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Our vendored copy of Modules/expat/ should be updated to Expat 2.4.1 to retrieve the fix for the security vulnerabily CVE-2013-0340 "Billion Laughs":

The table of vulnerabilities in Python XML parsers should be updated as well:

My outdated notes on Modules/expat/: copy of libexpat

* ./configure --with-system-expat
* Rationale:
* Used on Windows and macOS, Linux distributions use system libexpat
* Version: search for XML_MAJOR_VERSION in Modules/expat/expat.h
* Script to update it: see attached script to
* Recent update:
* Python 2.7, 3.3-3.6 use libexpat 2.2.1
Date User Action Args
2021-06-11 14:14:07vstinnersetrecipients: + vstinner
2021-06-11 14:14:07vstinnersetmessageid: <>
2021-06-11 14:14:07vstinnerlinkissue44394 messages
2021-06-11 14:14:07vstinnercreate