Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please upgrade bundled Expat to 2.6.0 (e.g. for the fix to CVE-2023-52425) #115399

Closed
hartwork opened this issue Feb 13, 2024 · 4 comments · Fixed by #115431
Closed

Please upgrade bundled Expat to 2.6.0 (e.g. for the fix to CVE-2023-52425) #115399

hartwork opened this issue Feb 13, 2024 · 4 comments · Fixed by #115431
Labels
extension-modules C modules in the Modules dir type-bug An unexpected behavior, bug, or error

Comments

@hartwork
Copy link
Contributor

hartwork commented Feb 13, 2024
edited by bedevere-app bot

Bug report

Bug description:

Hi! 👋

Please upgrade bundled Expat to 2.6.0 (e.g. for the fix to CVE-2023-52425).

The CPython issue for previous 2.5.0 was #98739 and the related merged pull request was #98742, in case you want to have a look. In particular comment #98742 (review) could be of help.

Thanks in advance!

CPython versions tested on:

3.8, 3.9, 3.10, 3.11, 3.12, 3.13, CPython main branch

Operating systems tested on:

Linux, macOS, Windows, Other

Linked PRs
@hartwork hartwork added the type-bug An unexpected behavior, bug, or error label Feb 13, 2024
This was referenced Feb 13, 2024
Closed
Closed
Merged
@erlend-aasland erlend-aasland added the extension-modules C modules in the Modules dir label Feb 13, 2024
@ambv
Copy link
Contributor

ambv commented Feb 13, 2024

Thanks for letting us know. We'll be addressing this.

@bedevere-app bedevere-app bot mentioned this issue Feb 13, 2024
Merged
@bedevere-app
Copy link

bedevere-app bot commented Feb 14, 2024

GH-115468 is a backport of this pull request to the 3.11 branch.

@bedevere-app bedevere-app bot mentioned this issue Feb 14, 2024
Merged
Yhg1s pushed a commit that referenced this issue Feb 14, 2024
@sethmlarson
gh-115399: Upgrade bundled libexpat to 2.6.0 (#115431)
4b2d178
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 14, 2024
@sethmlarson @miss-islington
pythongh-115399: Upgrade bundled libexpat to 2.6.0 (pythonGH-115431)
f601dee 
(cherry picked from commit 4b2d178)

Co-authored-by: Seth Michael Larson <seth@python.org>
@bedevere-app bedevere-app bot mentioned this issue Feb 14, 2024
Merged
ambv pushed a commit that referenced this issue Feb 14, 2024
@sethmlarson
[3.11] Upgrade bundled libexpat to 2.6.0 (GH-115399) (GH-115468)
e071b0d 
Manual backport due to code differences.
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 14, 2024
@sethmlarson @miss-islington
[3.11] Upgrade bundled libexpat to 2.6.0 (pythonGH-115399) (pythonGH-…
e711c8e 
…115468)

Manual backport due to code differences.
(cherry picked from commit e071b0d)

Co-authored-by: Seth Michael Larson <seth@python.org>
@bedevere-app bedevere-app bot mentioned this issue Feb 14, 2024
Merged
sethmlarson added a commit to sethmlarson/cpython that referenced this issue Feb 14, 2024
@sethmlarson
[3.9] [3.11] Upgrade bundled libexpat to 2.6.0 (pythonGH-115399) (pyt…
2740bfa 
…honGH-115468)

Manual backport due to code differences.
(cherry picked from commit e071b0d)

Co-authored-by: Seth Michael Larson <seth@python.org>
@bedevere-app
Copy link

bedevere-app bot commented Feb 14, 2024

GH-115474 is a backport of this pull request to the 3.9 branch.

@bedevere-app bedevere-app bot mentioned this issue Feb 14, 2024
Merged
sethmlarson added a commit to sethmlarson/cpython that referenced this issue Feb 14, 2024
@sethmlarson
[3.8] [3.11] Upgrade bundled libexpat to 2.6.0 (pythonGH-115399) (pyt…
10de572 
…honGH-115468)

Manual backport due to code differences.
(cherry picked from commit e071b0d)

Co-authored-by: Seth Michael Larson <seth@python.org>
@bedevere-app
Copy link

bedevere-app bot commented Feb 14, 2024

GH-115475 is a backport of this pull request to the 3.8 branch.

@bedevere-app bedevere-app bot mentioned this issue Feb 14, 2024
Merged
sethmlarson added a commit to sethmlarson/cpython that referenced this issue Feb 14, 2024
@sethmlarson
[3.9] Upgrade bundled libexpat to 2.6.0 (pythonGH-115399) (pythonGH-1…
b5762ec 
…15468)

Manual backport due to code differences.
(cherry picked from commit e071b0d)

Co-authored-by: Seth Michael Larson <seth@python.org>
sethmlarson added a commit to sethmlarson/cpython that referenced this issue Feb 14, 2024
@sethmlarson
[3.8] Upgrade bundled libexpat to 2.6.0 (pythonGH-115399) (pythonGH-1…
68dd471 
…15468)

Manual backport due to code differences.
(cherry picked from commit e071b0d)

Co-authored-by: Seth Michael Larson <seth@python.org>
gpshead pushed a commit that referenced this issue Feb 14, 2024
@miss-islington @sethmlarson
[3.12] gh-115399: Upgrade bundled libexpat to 2.6.0 (GH-115431) (#115469
14930ac 
)

gh-115399: Upgrade bundled libexpat to 2.6.0 (GH-115431)
(cherry picked from commit 4b2d178)

Co-authored-by: Seth Michael Larson <seth@python.org>
sethmlarson added a commit to miss-islington/cpython that referenced this issue Feb 19, 2024
@sethmlarson
[3.10] Upgrade bundled libexpat to 2.6.0 (pythonGH-115399) (pythonGH-…
58f4f54 
…115468)

Manual backport due to code differences.
(cherry picked from commit e071b0d)

Co-authored-by: Seth Michael Larson <seth@python.org>
pablogsal pushed a commit that referenced this issue Feb 19, 2024
@miss-islington @sethmlarson
[3.10] Upgrade bundled libexpat to 2.6.0 (GH-115399) (GH-115468) (#11…
d0524ca 
…5473)

Manual backport due to code differences.
(cherry picked from commit e071b0d)

Co-authored-by: Seth Michael Larson <seth@python.org>
ambv pushed a commit that referenced this issue Feb 21, 2024
@hartwork
gh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (GH-11…
fbd40ce 
…5400)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 21, 2024
@hartwork @miss-islington
pythongh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (p…
0873ae7 
…ythonGH-115400)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
(cherry picked from commit fbd40ce)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
@bedevere-app bedevere-app bot mentioned this issue Feb 21, 2024
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 21, 2024
@hartwork @miss-islington
pythongh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (p…
d80a4cf 
…ythonGH-115400)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
(cherry picked from commit fbd40ce)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 21, 2024
@hartwork @miss-islington
pythongh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (p…
af23c8c 
…ythonGH-115400)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
(cherry picked from commit fbd40ce)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
@bedevere-app bedevere-app bot mentioned this issue Feb 21, 2024
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 21, 2024
@hartwork @miss-islington
pythongh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (p…
d5fd04b 
…ythonGH-115400)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
(cherry picked from commit fbd40ce)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
@bedevere-app bedevere-app bot mentioned this issue Feb 21, 2024
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 21, 2024
@hartwork @miss-islington
pythongh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (p…
bd8c826 
…ythonGH-115400)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
(cherry picked from commit fbd40ce)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
This was referenced Feb 21, 2024
Merged
Merged
ambv pushed a commit that referenced this issue Feb 21, 2024
@miss-islington @hartwork
[3.12] gh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (
cab8d07 
…GH-115400) (GH-115760)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
(cherry picked from commit fbd40ce)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
ambv pushed a commit that referenced this issue Feb 21, 2024
@miss-islington @hartwork
[3.11] gh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (
6928d5e 
…GH-115400) (GH-115761)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
(cherry picked from commit fbd40ce)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
ambv pushed a commit that referenced this issue Feb 21, 2024
@miss-islington @hartwork
[3.10] gh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (
b612ec6 
…GH-115400) (GH-115762)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
(cherry picked from commit fbd40ce)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
ambv pushed a commit that referenced this issue Feb 21, 2024
@miss-islington @hartwork
[3.8] gh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (G…
1e7f79a 
…H-115400) (GH-115764)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
(cherry picked from commit fbd40ce)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
ambv pushed a commit that referenced this issue Feb 21, 2024
@miss-islington @hartwork
[3.9] gh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (G…
0397866 
…H-115400) (GH-115763)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
(cherry picked from commit fbd40ce)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
ambv added a commit that referenced this issue Feb 21, 2024
@sethmlarson @ambv
[3.9] Upgrade bundled libexpat to 2.6.0 (GH-115399) (GH-115474)
4b68e5d 
Manual backport due to code differences.
(cherry picked from commit e071b0d)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
ambv added a commit that referenced this issue Feb 21, 2024
@sethmlarson @ambv
[3.8] Upgrade bundled libexpat to 2.6.0 (GH-115399) (GH-115475)
8c6f277 
Manual backport due to code differences.
(cherry picked from commit e071b0d)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
woodruffw pushed a commit to woodruffw-forks/cpython that referenced this issue Mar 4, 2024
@hartwork @woodruffw
pythongh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (p…
1aae53b 
…ythonGH-115400)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
@hartwork hartwork mentioned this issue Mar 13, 2024
Open
@hugovk hugovk mentioned this issue Mar 23, 2024
Closed
@bmhowe23 bmhowe23 mentioned this issue Apr 5, 2024
Merged
diegorusso pushed a commit to diegorusso/cpython that referenced this issue Apr 17, 2024
@hartwork @diegorusso
pythongh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (p…
46450e5 
…ythonGH-115400)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
extension-modules C modules in the Modules dir type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gh-115399: Upgrade bundled libexpat to 2.6.0 sethmlarson/cpython
3 participants
@ambv @hartwork @erlend-aasland