> On 25 Feb 2022, at 12:58, Prasad, PCRaghavendra > <[email protected]> wrote: > > Hi All, > > we are using the python 3.9.5 version in our application. > > In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, > it is showing critical vulnerabilities in libexpat 2.2.8. > > (CVE-2022-22824 > CVE-2022-23990 > CVE-2022-23852 > CVE-2022-25236 > CVE-2022-22823) > > when there are any issues ( security issues ) in external modules like > OpenSSL, bzip2, and zlib we were able to get the latest code and build as it > is straightforward, but libexpat is an internal module to the python and we > don't see how we can upgrade libexpat alone in python 3.9.5 > > So is there a way we can build python (ex 3.9.5) which is already carrying > libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - > fixed security issues). > > Another solution when we searched over the net and from the mails what we > came to know is we need to wait for Python 3.9.11 where this will be linked > to libexpat 2.4.6. > > Any inputs on this will be helpful.
Are you asking how to link python to an external libexpat instead of the vendored expat inside python? Have you tried deleting libexpat 2.2.8 from the python source code and replacing with the libexpat 2.4.6 and then compiling python? Are you concerned that you need fixes in the python code to support the 2.4 version? Barry > > Thanks, > Raghu > > Internal Use - Confidential > _______________________________________________ > Python-Dev mailing list -- [email protected] > <mailto:[email protected]> > To unsubscribe send an email to [email protected] > <mailto:[email protected]> > https://mail.python.org/mailman3/lists/python-dev.python.org/ > <https://mail.python.org/mailman3/lists/python-dev.python.org/> > Message archived at > https://mail.python.org/archives/list/[email protected]/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/ > > <https://mail.python.org/archives/list/[email protected]/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/> > Code of Conduct: http://python.org/psf/codeofconduct/ > <http://python.org/psf/codeofconduct/>
_______________________________________________ Python-Dev mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/GSI2MC5VGPU24SOZIDINGBCOD3NFM5S4/ Code of Conduct: http://python.org/psf/codeofconduct/
