-
Notifications
You must be signed in to change notification settings - Fork 299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bundles vulnerable copy of Expat - please update to 2.2.2 #2659
Comments
Thanks for reporting. |
After internal discussion, the action item is to switch from cElementTree (which bundles the old version of expat in question) to the Python stdlib's cElementTree, which should have more security updates. |
Wouldn't that bundle Expat as well? Or is this about a new no-bundle dependency? Also, Python itself still needs to update their bundle of Expat. I'd be curious about more details. |
Yes, but we off-load the maintenance duty to Python since Python includes the Komodo pre-dates Python 2.5, so it had to bundle an external, 3rd-party, C-based XML parser. Python 2.5 started including that parser in its standard library, but Komodo never shifted to using Python's version. This dependency is unnecessary. |
I see. As long as you keep the Python bundle up to date, I'm happy :) |
Komodo uses Python 2.7, which has updated their version of Expat (see https://bugs.python.org/issue30694). As mentioned previously in this ticket, the original reference to the old Expat you found is no longer used -- it's there as a legacy reference. Closing ticket. |
Hi!
This repository bundles an outdated vulnerable copy of Expat 1.95.8. Please update your copy to version 2.2.2 with the latest security fixes. A change log with details is available at https://github.com/libexpat/libexpat/blob/master/expat/Changes . Thank you!
Best
Sebastian
The text was updated successfully, but these errors were encountered: