Update expat to 2.1.1

[tiran]

BPO	26556
Nosy	@birkenfeld, @larryhastings, @tiran, @benjaminp, @ned-deily, @MirkoDziadzka

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2016-06-11.20:35:41.741>
created_at = <Date 2016-03-14.10:31:35.146>
labels = ['type-security', 'extension-modules', 'expert-XML', 'release-blocker']
title = 'Update expat to 2.1.1'
updated_at = <Date 2016-06-21.21:59:59.377>
user = 'https://github.com/tiran'

bugs.python.org fields:

activity = <Date 2016-06-21.21:59:59.377>
actor = 'Carson Lam'
assignee = 'none'
closed = True
closed_date = <Date 2016-06-11.20:35:41.741>
closer = 'python-dev'
components = ['Extension Modules', 'XML']
creation = <Date 2016-03-14.10:31:35.146>
creator = 'christian.heimes'
dependencies = []
files = []
hgrepos = []
issue_num = 26556
keywords = []
message_count = 10.0
messages = ['261741', '262020', '262058', '265425', '265426', '267619', '267697', '268069', '268202', '268268']
nosy_count = 8.0
nosy_names = ['georg.brandl', 'larry', 'christian.heimes', 'benjamin.peterson', 'ned.deily', 'python-dev', 'mirko.dziadzka', 'Brian Martin']
pr_nums = []
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue26556'
versions = ['Python 2.7', 'Python 3.3', 'Python 3.4', 'Python 3.5', 'Python 3.6']

[tiran]

A new version of expat has been released. 2.2.1 addressed CVE-2015-1283.

[larryhastings]

Christian: Is that CVE the same crash as reported by mail by Gustavo Grieco?

[tiran]

No, the other problem is CVE-2016-0718. We are still looking into the matter.

[ned-deily]

Any progress on this? It is still flagged as a Release Blocker and releases are approaching.

[tiran]

Another critical bug fix will be released next Tuesday.

[larryhastings]

Was this critical bug fix released on May 17th as promised?

I will not hold up 3.5.2 for this. 3.5.2 has waited long enough.

[tiran]

There is another security release for expat planned, but we can skip it for now. I'll provide a patch for Python 2 and 3 with 2.1.1 by tomorrow.

[BrianMartin]

Per http://expat.sourceforge.net/, version 2.1.1 fixes CVE-2015-1283, not 2.2.1 as mentioned in a comment.

[larryhastings]

Christian: I don't see any checkins on this issue, and I tag 3.4.4 rc1 and 3.5.2 rc1 in about twelve hours. As I mentioned to you in person at the PyCon 2016 sprints, I'm not holding up either of these releases for the expat update. If this is still open when it's time for me to tag those releases, I'll flip this to "deferred blocker".

[python-dev]

New changeset d8a0a016d8d4 by Benjamin Peterson in branch '2.7':
upgrade expt to 2.1.1 (closes bpo-26556)
https://hg.python.org/cpython/rev/d8a0a016d8d4

New changeset bb3ce78572f5 by Benjamin Peterson in branch '3.4':
upgrade expt to 2.1.1 (closes bpo-26556)
https://hg.python.org/cpython/rev/bb3ce78572f5

New changeset f3c36afdedae by Benjamin Peterson in branch '3.5':
merge 3.4 (bpo-26556)
https://hg.python.org/cpython/rev/f3c36afdedae

New changeset 77353f0106cc by Benjamin Peterson in branch 'default':
merge 3.5 (bpo-26556)
https://hg.python.org/cpython/rev/77353f0106cc