Hi Scott, Thanks for the reply
Are you asking how to link python to an external libexpat instead of the vendor expat inside python? >> yes, we have done for some of the external libs like OpenSSL, bzip2 but >> libexpat was an internal module to python so how to link to the latest expat >> lib/code without changing the python version was our doubt. Have you tried deleting libexpat 2.2.8 from the python source code and replacing it with the libexpat 2.4.6 and then compiling python? >> No, do you mean hear removing the files ( python\Modules\expat ) folder and >> replacing the new files from libexpat 2.4.6. we didn't do that We didn't know whether that is the right way of doing it and if there are any incompatibilities to the python version (3.9.5) Are you concerned that you need fixes in the python code to support the 2.4 version? >> Yes our application is running with python 3.9.5 and it internal contains >> libexpat 2.2.8 that has security vulnerabilities One way is to upgrade the python to the latest version where the libexpat issues are fixed ( maybe 3.9.11). What is the best approach so that there will be no major issues. Thanks, Raghu Internal Use - Confidential From: Barry Scott <ba...@barrys-emacs.org> Sent: Saturday, February 26, 2022 3:08 AM To: Prasad, PCRaghavendra Cc: Python-Dev@python.org Subject: Re: [Python-Dev] Need Help [EXTERNAL EMAIL] On 25 Feb 2022, at 12:58, Prasad, PCRaghavendra <pcraghavendra.pra...@dell.com<mailto:pcraghavendra.pra...@dell.com>> wrote: Hi All, we are using the python 3.9.5 version in our application. In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, it is showing critical vulnerabilities in libexpat 2.2.8. (CVE-2022-22824 CVE-2022-23990 CVE-2022-23852 CVE-2022-25236 CVE-2022-22823) when there are any issues ( security issues ) in external modules like OpenSSL, bzip2, and zlib we were able to get the latest code and build as it is straightforward, but libexpat is an internal module to the python and we don't see how we can upgrade libexpat alone in python 3.9.5 So is there a way we can build python (ex 3.9.5) which is already carrying libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - fixed security issues). Another solution when we searched over the net and from the mails what we came to know is we need to wait for Python 3.9.11 where this will be linked to libexpat 2.4.6. Any inputs on this will be helpful. Are you asking how to link python to an external libexpat instead of the vendored expat inside python? Have you tried deleting libexpat 2.2.8 from the python source code and replacing with the libexpat 2.4.6 and then compiling python? Are you concerned that you need fixes in the python code to support the 2.4 version? Barry Thanks, Raghu Internal Use - Confidential _______________________________________________ Python-Dev mailing list -- python-dev@python.org<mailto:python-dev@python.org> To unsubscribe send an email to python-dev-le...@python.org<mailto:python-dev-le...@python.org> https://mail.python.org/mailman3/lists/python-dev.python.org/ [mail.python.org]<https://urldefense.com/v3/__https:/mail.python.org/mailman3/lists/python-dev.python.org/__;!!LpKI!yHNiEUnxG5yfnxGC0naB83gqhWXVEusoVRumcoS8FxeXPHQdEAdwyNKeso27h8GaFVyAaDw$> Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/ [mail.python.org]<https://urldefense.com/v3/__https:/mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/__;!!LpKI!yHNiEUnxG5yfnxGC0naB83gqhWXVEusoVRumcoS8FxeXPHQdEAdwyNKeso27h8GaaW2106M$> Code of Conduct: http://python.org/psf/codeofconduct/ [python.org]<https://urldefense.com/v3/__http:/python.org/psf/codeofconduct/__;!!LpKI!yHNiEUnxG5yfnxGC0naB83gqhWXVEusoVRumcoS8FxeXPHQdEAdwyNKeso27h8GaC-4zeF0$>
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/TIJEEHEXSNQMVMFIWK3S2DY744YN4DSS/ Code of Conduct: http://python.org/psf/codeofconduct/