> On 25 Feb 2022, at 12:58, Prasad, PCRaghavendra > <pcraghavendra.pra...@dell.com> wrote: > > Hi All, > > we are using the python 3.9.5 version in our application. > > In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, > it is showing critical vulnerabilities in libexpat 2.2.8. > > (CVE-2022-22824 > CVE-2022-23990 > CVE-2022-23852 > CVE-2022-25236 > CVE-2022-22823) > > when there are any issues ( security issues ) in external modules like > OpenSSL, bzip2, and zlib we were able to get the latest code and build as it > is straightforward, but libexpat is an internal module to the python and we > don't see how we can upgrade libexpat alone in python 3.9.5 > > So is there a way we can build python (ex 3.9.5) which is already carrying > libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - > fixed security issues). > > Another solution when we searched over the net and from the mails what we > came to know is we need to wait for Python 3.9.11 where this will be linked > to libexpat 2.4.6. > > Any inputs on this will be helpful.
Are you asking how to link python to an external libexpat instead of the vendored expat inside python? Have you tried deleting libexpat 2.2.8 from the python source code and replacing with the libexpat 2.4.6 and then compiling python? Are you concerned that you need fixes in the python code to support the 2.4 version? Barry > > Thanks, > Raghu > > Internal Use - Confidential > _______________________________________________ > Python-Dev mailing list -- python-dev@python.org > <mailto:python-dev@python.org> > To unsubscribe send an email to python-dev-le...@python.org > <mailto:python-dev-le...@python.org> > https://mail.python.org/mailman3/lists/python-dev.python.org/ > <https://mail.python.org/mailman3/lists/python-dev.python.org/> > Message archived at > https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/ > > <https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/> > Code of Conduct: http://python.org/psf/codeofconduct/ > <http://python.org/psf/codeofconduct/>
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/GSI2MC5VGPU24SOZIDINGBCOD3NFM5S4/ Code of Conduct: http://python.org/psf/codeofconduct/
