Hi All,

we are using the python 3.9.5 version in our application.

In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, it 
is showing critical vulnerabilities in libexpat 2.2.8.

(CVE-2022-22824
CVE-2022-23990
CVE-2022-23852
CVE-2022-25236
CVE-2022-22823)

when there are any issues ( security issues ) in external modules like OpenSSL, 
bzip2, and zlib we were able to get the latest code and build as it is 
straightforward, but libexpat is an internal module to the python and we don't 
see how we can upgrade libexpat alone in python 3.9.5

So is there a way we can build python (ex 3.9.5) which is already carrying 
libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - 
fixed security issues).

Another solution when we searched over the net and from the mails what we came 
to know is we need to wait for Python 3.9.11 where this will be linked to 
libexpat 2.4.6.

Any inputs on this will be helpful.

Thanks,
Raghu


Internal Use - Confidential
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at 
https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/
Code of Conduct: http://python.org/psf/codeofconduct/

Reply via email to