> On 25 Feb 2022, at 21:47, Prasad, PCRaghavendra > <pcraghavendra.pra...@dell.com> wrote: > > > Hi Scott,
Scott is my family name. > > Thanks for the reply > > Are you asking how to link python to an external libexpat instead of the > vendor expat inside python? > > >> yes, we have done for some of the external libs like OpenSSL, bzip2 but > >> libexpat was an internal module to python so how to link to the latest > >> expat lib/code without changing the python version was our doubt. > > Have you tried deleting libexpat 2.2.8 from the python source code and > replacing it with the libexpat 2.4.6 and then > compiling python? > > >> No, do you mean hear removing the files ( python\Modules\expat ) folder > >> and replacing the new files from libexpat 2.4.6. we didn’t do that > We didn’t know whether that is the right way of doing it and if there are any > incompatibilities to the python version (3.9.5) > > Are you concerned that you need fixes in the python code to support the 2.4 > version? > > >> Yes our application is running with python 3.9.5 and it internal contains > >> libexpat 2.2.8 that has security vulnerabilities > One way is to upgrade the python to the latest version where the libexpat > issues are fixed ( maybe 3.9.11). > > What is the best approach so that there will be no major issues. If I was doing this I would replace the libexpat code inside the python tree then compile python and see if that works without error. Take that python version and run the python test suite against it. If that passes then I would run my application’s test suite to ensure no regressions. Barry > > Thanks, > Raghu > > > > Internal Use - Confidential > From: Barry Scott <ba...@barrys-emacs.org> > Sent: Saturday, February 26, 2022 3:08 AM > To: Prasad, PCRaghavendra > Cc: Python-Dev@python.org > Subject: Re: [Python-Dev] Need Help > > [EXTERNAL EMAIL] > > > > > On 25 Feb 2022, at 12:58, Prasad, PCRaghavendra > <pcraghavendra.pra...@dell.com> wrote: > > Hi All, > > we are using the python 3.9.5 version in our application. > > In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, > it is showing critical vulnerabilities in libexpat 2.2.8. > > (CVE-2022-22824 > CVE-2022-23990 > CVE-2022-23852 > CVE-2022-25236 > CVE-2022-22823) > > when there are any issues ( security issues ) in external modules like > OpenSSL, bzip2, and zlib we were able to get the latest code and build as it > is straightforward, but libexpat is an internal module to the python and we > don't see how we can upgrade libexpat alone in python 3.9.5 > > So is there a way we can build python (ex 3.9.5) which is already carrying > libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - > fixed security issues). > > Another solution when we searched over the net and from the mails what we > came to know is we need to wait for Python 3.9.11 where this will be linked > to libexpat 2.4.6. > > Any inputs on this will be helpful. > > Are you asking how to link python to an external libexpat instead of the > vendored expat inside python? > > Have you tried deleting libexpat 2.2.8 from the python source code and > replacing with the libexpat 2.4.6 and then > compiling python? > > Are you concerned that you need fixes in the python code to support the 2.4 > version? > > Barry > > > > > Thanks, > Raghu > > Internal Use - Confidential > _______________________________________________ > Python-Dev mailing list -- python-dev@python.org > To unsubscribe send an email to python-dev-le...@python.org > https://mail.python.org/mailman3/lists/python-dev.python.org/ > [mail.python.org] > Message archived at > https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/ > [mail.python.org] > Code of Conduct: http://python.org/psf/codeofconduct/ [python.org] >
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/LR2IF3PBVSMW4U5WLOOEV55RR47IM5WL/ Code of Conduct: http://python.org/psf/codeofconduct/
