Georg Brandl added the comment:
Greg, if you are fine please apply to 3.2 or indicate if it is enough to apply
the same patch as on 3.3/default.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14340
Roundup Robot added the comment:
New changeset d2f6f63e73af by Gregory P. Smith in branch '3.2':
Update the embedded copy of the expat XML parser to 2.1.0. It brings
http://hg.python.org/cpython/rev/d2f6f63e73af
--
___
Python tracker
Gregory P. Smith added the comment:
done.
btw, it looks like benjamin.peterson did it for 2.7 yesterday morning but when
'hg graft' is used to apply a change from another branch the roundup
notification mentions the original commit's author, not the person who did the
push of the graft.
Roundup Robot added the comment:
New changeset c73a1f96dd9b by Gregory P. Smith in branch '2.7':
Update the embedded copy of the expat XML parser to 2.1.0. It brings
http://hg.python.org/cpython/rev/c73a1f96dd9b
--
___
Python tracker
Changes by Benjamin Peterson benja...@python.org:
--
versions: -Python 2.7
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14340
___
___
Georg Brandl added the comment:
Then I guess there is no reason not to put it in 3.2.4.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14340
___
Georg Brandl added the comment:
Then I guess there is no reason not to put it in 3.2.4.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14340
___
Benjamin Peterson added the comment:
If you could apply this to 2.7, that'd be great.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14340
___
Roundup Robot devn...@psf.upfronthosting.co.za added the comment:
New changeset e4dc8be9a72f by Gregory P. Smith in branch 'default':
Update the embedded copy of the expat XML parser to 2.1.0. It brings
http://hg.python.org/cpython/rev/e4dc8be9a72f
--
nosy: +python-dev
Gregory P. Smith g...@krypto.org added the comment:
Updated in 3.3 for beta2.
I'll leave it up to release managers to decide if they want to apply these
updates for future 2.7 and 3.2 releases (trivial, just be sure to keep our one
local modification adding the #define XML_HAS_SET_HASH_SALT
Gregory P. Smith g...@krypto.org added the comment:
Reasons why it is a good idea to apply this change to 2.7.4 and 3.2.4:
* Memory leak in poolGrow (CVE-2012-1148)
* Resource leak in readfilemap.c (CVE-2012-1147)
* Buffer over-read and crash in big2_toUtf8 (CVE-2009-3560)
* Parser crash with
Georg Brandl ge...@python.org added the comment:
Moving back to blocker for beta2.
--
priority: deferred blocker - release blocker
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14340
___
Georg Brandl ge...@python.org added the comment:
Deferring for beta1 at least.
--
priority: release blocker - deferred blocker
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14340
___
Gregory P. Smith g...@krypto.org added the comment:
Thanks. I still intend to get to this.
On Jun 23, 2012 1:59 AM, Georg Brandl rep...@bugs.python.org wrote:
Georg Brandl ge...@python.org added the comment:
Deferring for beta1 at least.
--
priority: release blocker - deferred
Georg Brandl ge...@python.org added the comment:
Greg, are you still going to update expat in time for 3.3? Otherwise this
doesn't block 3.3 anymore.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14340
New submission from Gregory P. Smith g...@krypto.org:
As pointed out in #14234, our embedded copy of expat used by pyexpat for xml
parsing in Modules/expat/ is out of date. There have been many fixes to expat
that we have not applied including a few potential crash and security fixes.
We
Benjamin Peterson benja...@python.org added the comment:
What would be awesome is if we could just kill embedded versions of libraries
like expat.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14340
Gregory P. Smith g...@krypto.org added the comment:
Indeed! How do we do that on windows and osx where these may not exist outside
of Python?
We already require a set of external dependency libraries on windows, could we
just add expat to the list?
--
Antoine Pitrou pit...@free.fr added the comment:
What would be awesome is if we could just kill embedded versions of libraries
like expat.
It practically wouldn't change much, since we still bundle them as part
of Windows binaries.
--
___
Python
Gregory P. Smith g...@krypto.org added the comment:
It is much less effort for us to simply take a new version of an external
library and recompile rather than consider it part of our code that shouldn't
change within a release and manually deal with patching it and cherry picking
patches
20 matches
Mail list logo
