[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[Ned Deily]

Change by Ned Deily :


--
Removed message: https://bugs.python.org/msg342105

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[Ned Deily]

Ned Deily  added the comment:


New changeset 86a713cb0c110b6798ca7f9e630fc511ee0a4028 by larryhastings (Victor 
Stinner) in branch '3.4':
[3.4][Security] bpo-30947, bpo-31170: Update expat from 2.2.1 to 2.2.4 (#3353)
https://github.com/python/cpython/commit/86a713cb0c110b6798ca7f9e630fc511ee0a4028


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

STINNER Victor  added the comment:

> Do you remember which platform failed? It doesn't say on the GH PR either.

It was the Linux job of Travis CI, something like an old Ubuntu LTS version.

Since Travis CI prevented me to merge anything and Python already has access to 
a safe PRNG, I didn't worry about that issue. The disabled code shouldn't be 
needed on Python.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[Christian Heimes]

Christian Heimes  added the comment:

Do you remember which platform failed? It doesn't say on the GH PR either.

See #34623 for security bug. We only set good salt for pyexpat based parsers 
(sax, dom, pure Python etree), but not for the C-accelerated ElementTree 
implementation.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

STINNER Victor  added the comment:

Christian Heimes  added the comment:
> Victor, the PR for this BPO has introduced XML_POOR_ENTROPY. Neither the 
> commit message nor the issue explains why. Which platform failed to compile 
> without XML_POOR_ENTROPY?

And, maybe:

"Oh, compilation fails on Travis CI at:"
https://github.com/python/cpython/pull/3106#issuecomment-323118722

And my rationale is (extract of setup.py):


# bpo-30947: Python uses best available entropy sources to
# call XML_SetHashSalt(), expat entropy sources are not needed
('XML_POOR_ENTROPY', '1'),

But I'm wrong if I understood what you told me last week.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[Christian Heimes]

Christian Heimes  added the comment:

Victor, the PR for this BPO has introduced XML_POOR_ENTROPY. Neither the commit 
message nor the issue explains why. Which platform failed to compile without 
XML_POOR_ENTROPY?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[Serhiy Storchaka]

Serhiy Storchaka added the comment:

And in 3.3.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

STINNER Victor added the comment:

libexpat has been upgraded from 2.2.1 to 2.2.4 in 2.7, 3.4, 3.5, 3.6 and master 
branches.

--
resolution:  -> fixed
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[Larry Hastings]

Larry Hastings added the comment:


New changeset f2492bb6aae061aea47e21fc7e56b7ab9bfdf543 by larryhastings (Victor 
Stinner) in branch '3.5':
[3.5][Security] bpo-30947, bpo-31170: Update expat from 2.2.1 to 2.2.4 (#3354)
https://github.com/python/cpython/commit/f2492bb6aae061aea47e21fc7e56b7ab9bfdf543


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[Larry Hastings]

Larry Hastings added the comment:


New changeset 86a713cb0c110b6798ca7f9e630fc511ee0a4028 by larryhastings (Victor 
Stinner) in branch '3.4':
[3.4][Security] bpo-30947, bpo-31170: Update expat from 2.2.1 to 2.2.4 (#3353)
https://github.com/python/cpython/commit/86a713cb0c110b6798ca7f9e630fc511ee0a4028


--
nosy: +larry

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[Ned Deily]

Ned Deily added the comment:


New changeset 297516ea509c72d8ebed3a9b3ce200f023aca0b7 by Ned Deily (Victor 
Stinner) in branch '3.3':
[3.3] bpo-30947, bpo-31170: Update expat from 2.2.1 to 2.2.4 (#3352)
https://github.com/python/cpython/commit/297516ea509c72d8ebed3a9b3ce200f023aca0b7


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +3368

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +3366

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +3364

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

STINNER Victor added the comment:

Expat 2.2.3 has a bug: see bpo-31170 :-(

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

STINNER Victor added the comment:


New changeset ec4ab09b7c0b5070bdb27351f979cbecc4636245 by Victor Stinner in 
branch '2.7':
bpo-30947: Update libexpat from 2.2.1 to 2.2.3 (#3106) (#3145)
https://github.com/python/cpython/commit/ec4ab09b7c0b5070bdb27351f979cbecc4636245


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

STINNER Victor added the comment:


New changeset 83e37e16f3065086d721d4e62a3788e01db3431c by Victor Stinner in 
branch '3.6':
bpo-30947: Update libexpat from 2.2.1 to 2.2.3 (#3106) (#3143)
https://github.com/python/cpython/commit/83e37e16f3065086d721d4e62a3788e01db3431c


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +3180

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +3179

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +3178

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

STINNER Victor added the comment:


New changeset 93d0cb58b4da2a88c56f472c6c19491cc7a390df by Victor Stinner in 
branch 'master':
bpo-30947: Update libexpat from 2.2.1 to 2.2.3 (#3106)
https://github.com/python/cpython/commit/93d0cb58b4da2a88c56f472c6c19491cc7a390df


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

STINNER Victor added the comment:

If libexpat is upgraded in Python 2.7, the new Modules/expat/loadlibrary.c 
should also be added to PC/VS9.0/ project files, as I did for PCbuild.

Note: PC/VS7.1/ and PC/VS8.0/ are likely broken and don't need to be updated, 
right?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[Serhiy Storchaka]

Serhiy Storchaka added the comment:

Could the updating script be added into the CPython repository?

--
nosy: +serhiy.storchaka

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

STINNER Victor added the comment:

> #82  CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability using Steve 
> Holme's LoadLibrary wrapper for/of cURL

https://github.com/libexpat/libexpat/issues/82

I don't think that this bug affects Python since Python sets a hash secret.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

STINNER Victor added the comment:

cpython_rebuild_expat_dir.sh: Script used to update Modules/expat/ to 2.2.3. 
The script now uses the libexpat Git repository. Previously, I used tarballs.

--
Added file: http://bugs.python.org/file47088/cpython_rebuild_expat_dir.sh

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +3145

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

STINNER Victor added the comment:

Previous update: bpo-30694.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30947] Update embeded copy of libexpat from 2.2.1 to 2.2.3

[STINNER Victor]

Changes by STINNER Victor :


--
title: Update embeded copy of libexpat to 2.2.2 -> Update embeded copy of 
libexpat from 2.2.1 to 2.2.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com