New submission from Ned Deily:
>From the announcement:
Expat 2.2.1 has been released. The change log has more details [2] than this
mail, including commit SHA1s. For a quick overview of the security fixes and
CVEs, we have:
CVE-2017-9233 External entity infinite loop DoS [1]
(CVE-2016-9063) Integer overflow (re-fix)
n/a More integer overflow fixes
(CVE-2016-0718) Fix regression bugs from 2.2.0's fix to CVE-2016-0718
(CVE-2016-5300) Use os-specific entropy sources like getrandom
n/a No longer leak parser pointer information
n/a Prevent use of uninitialised variables
n/a Add missing API parameter validation (NULL, len<0)
(CVE-2012-0876) Counter hash flooding with SipHash
https://github.com/libexpat/libexpat/blob/R_2_2_1/expat/Changes
https://libexpat.github.io/doc/cve-2017-9233/
----------
components: Library (Lib)
messages: 296254
nosy: haypo, ned.deily
priority: deferred blocker
severity: normal
stage: needs patch
status: open
title: Update embedded copy of expat to 2.2.1
versions: Python 2.7, Python 3.3, Python 3.4, Python 3.5, Python 3.6, Python 3.7
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue30694>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
