Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please upgrade bundled Expat to 2.6.3 (e.g. for the fixes to CVE-2024-45490, CVE-2024-45491 and CVE-2024-45492) #123678

Closed
hartwork opened this issue Sep 4, 2024 · 4 comments
Assignees
Labels
type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@hartwork
Copy link
Contributor

hartwork commented Sep 4, 2024

Bug report

Bug description:

Hi! 👋

Please upgrade bundled Expat to 2.6.3 (e.g. for the fixes to CVE-2024-45490, CVE-2024-45491 and CVE-2024-45492).

The CPython issue for previous 2.6.2 was #116741 and the related merged main pull request was #117296, in case you want to have a look. The Dockerfile from comment #117296 (review) could be of help with raising confidence in a bump pull request when going forward.

Thanks in advance!

CPython versions tested on:

3.8, 3.9, 3.10, 3.11, 3.12, 3.13, CPython main branch

Operating systems tested on:

Linux, macOS, Windows, Other

Linked PRs

@hartwork hartwork added the type-bug An unexpected behavior, bug, or error label Sep 4, 2024
@Eclips4 Eclips4 added the type-security A security issue label Sep 4, 2024
@sobolevn
Copy link
Member

sobolevn commented Sep 4, 2024

cc @sethmlarson

@sethmlarson
Copy link
Contributor

Thanks for the ping @sobolevn, I'll work with release managers to get this update out.

@sethmlarson
Copy link
Contributor

I've created a PR, please take a look: #123689

gpshead pushed a commit that referenced this issue Sep 4, 2024
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 4, 2024
Upgrade libexpat 2.6.3
(cherry picked from commit 40bdb0d)

Co-authored-by: Seth Michael Larson <seth@python.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 4, 2024
Upgrade libexpat 2.6.3
(cherry picked from commit 40bdb0d)

Co-authored-by: Seth Michael Larson <seth@python.org>
@sethmlarson sethmlarson self-assigned this Sep 4, 2024
gpshead pushed a commit that referenced this issue Sep 4, 2024
gh-123678: Upgrade libexpat 2.6.3 (GH-123689)

Upgrade libexpat 2.6.3
(cherry picked from commit 40bdb0d)

Co-authored-by: Seth Michael Larson <seth@python.org>
encukou pushed a commit that referenced this issue Sep 5, 2024
gh-123678: Upgrade libexpat 2.6.3 (GH-123689)

(cherry picked from commit 40bdb0d)

Co-authored-by: Seth Michael Larson <seth@python.org>
ambv pushed a commit that referenced this issue Sep 5, 2024
ambv pushed a commit that referenced this issue Sep 5, 2024
ambv pushed a commit that referenced this issue Sep 5, 2024
ambv pushed a commit that referenced this issue Sep 5, 2024
@sethmlarson
Copy link
Contributor

All pull requests have been merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
None yet
Development

No branches or pull requests

4 participants