New submission from Uche Ogbuji <u...@ogbuji.net>: cpython bundles expat in Modules/expat/ and needs to be updated to expat-2.2.8 to security vulnerability CVE-2019-15903.
>From Sebastian Pipping on XML-DEV ML: Expat 2.2.8 [1] has been released yesterday. This release fixes a security issue — a heap buffer over-read known as CVE-2019-15903 [2] reported by Joonun Jang resulting in Denial of Service —, starts using the rand_s function on Windows and MinGW (ending the previous LoadLibrary hack), includes non-security bugfixes, many build system fixes and improvements, improvements to xmlwf usability, and more. For more details regarding the latest release, please check out the changelog [3]. If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.2.8. Thank you! [1] https://github.com/libexpat/libexpat/releases/tag/R_2_2_8 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903 [3] https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes ---------- components: XML messages: 352449 nosy: Uche Ogbuji priority: normal severity: normal status: open title: Security vulnerability in bundled expat CVE-2019-15903 (fix available in expat 2.2.8) type: security versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue38174> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com