This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients vstinner
Date 2021-06-11.14:14:07
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1623420847.27.0.469352206791.issue44394@roundup.psfhosted.org>
In-reply-to
Content 
Our vendored copy of Modules/expat/ should be updated to Expat 2.4.1 to retrieve the fix for the security vulnerabily CVE-2013-0340 "Billion Laughs":
https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/

The table of vulnerabilities in Python XML parsers should be updated as well:
https://docs.python.org/dev/library/xml.html#xml-vulnerabilities

My outdated notes on Modules/expat/: copy of libexpat

* ./configure --with-system-expat
* Rationale: https://mail.python.org/pipermail/python-dev/2017-June/148287.html
* Used on Windows and macOS, Linux distributions use system libexpat
* Version: search for XML_MAJOR_VERSION in Modules/expat/expat.h
* Script to update it: see attached script to https://bugs.python.org/issue30947
* Recent update: https://bugs.python.org/issue30947
* Python 2.7, 3.3-3.6 use libexpat 2.2.1

https://pythondev.readthedocs.io/files.html
History
Date User Action Args
2021-06-11 14:14:07vstinnersetrecipients: + vstinner
2021-06-11 14:14:07vstinnersetmessageid: <1623420847.27.0.469352206791.issue44394@roundup.psfhosted.org>
2021-06-11 14:14:07vstinnerlinkissue44394 messages
2021-06-11 14:14:07vstinnercreate