Hi All, we are using the python 3.9.5 version in our application.
In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, it is showing critical vulnerabilities in libexpat 2.2.8. (CVE-2022-22824 CVE-2022-23990 CVE-2022-23852 CVE-2022-25236 CVE-2022-22823) when there are any issues ( security issues ) in external modules like OpenSSL, bzip2, and zlib we were able to get the latest code and build as it is straightforward, but libexpat is an internal module to the python and we don't see how we can upgrade libexpat alone in python 3.9.5 So is there a way we can build python (ex 3.9.5) which is already carrying libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - fixed security issues). Another solution when we searched over the net and from the mails what we came to know is we need to wait for Python 3.9.11 where this will be linked to libexpat 2.4.6. Any inputs on this will be helpful. Thanks, Raghu Internal Use - Confidential
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/ Code of Conduct: http://python.org/psf/codeofconduct/
