date:20220225

[Python-Dev] Re: Need Help

2022-02-25 Thread Barry



> On 25 Feb 2022, at 21:47, Prasad, PCRaghavendra 
>  wrote:
> 
> 
> Hi Scott,

Scott is my family name.

>  
> Thanks for the reply
>  
> Are you asking how to link python to an external libexpat instead of the 
> vendor expat inside python?
>  
> >> yes, we have done for some of the external libs like OpenSSL, bzip2 but 
> >> libexpat was an internal module to python so how to link to the latest 
> >> expat lib/code without changing the python version was our doubt.
>  
> Have you tried deleting libexpat 2.2.8 from the python source code and 
> replacing it with the libexpat 2.4.6 and then
> compiling python?
>  
> >> No, do you mean hear removing the files ( python\Modules\expat ) folder 
> >> and replacing the new files from libexpat 2.4.6. we didn’t do that
> We didn’t know whether that is the right way of doing it and if there are any 
> incompatibilities to the python version (3.9.5)
>  
> Are you concerned that you need fixes in the python code to support the 2.4 
> version?
>  
> >> Yes our application is running with python 3.9.5 and it internal contains 
> >> libexpat 2.2.8 that has security vulnerabilities
> One way is to upgrade the python to the latest version where the libexpat 
> issues are fixed ( maybe 3.9.11).
>  
> What is the best approach so that there will be no major issues.

If I was doing this I would replace the libexpat code inside the python tree 
then compile python and see if that works without error.

Take that python version and run the python test suite against it.
If that passes then I would run my application’s test suite to ensure no 
regressions.

Barry

>  
> Thanks,
> Raghu
>  
>  
>  
> Internal Use - Confidential
> From: Barry Scott  
> Sent: Saturday, February 26, 2022 3:08 AM
> To: Prasad, PCRaghavendra
> Cc: Python-Dev@python.org
> Subject: Re: [Python-Dev] Need Help
>  
> [EXTERNAL EMAIL]
> 
>  
>  
> 
> On 25 Feb 2022, at 12:58, Prasad, PCRaghavendra 
>  wrote:
>  
> Hi All,
> 
> we are using the python 3.9.5 version in our application.
>  
> In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, 
> it is showing critical vulnerabilities in libexpat 2.2.8.
>  
> (CVE-2022-22824
> CVE-2022-23990
> CVE-2022-23852
> CVE-2022-25236
> CVE-2022-22823)
> 
> when there are any issues ( security issues ) in external modules like 
> OpenSSL, bzip2, and zlib we were able to get the latest code and build as it 
> is straightforward, but libexpat is an internal module to the python and we 
> don't see how we can upgrade libexpat alone in python 3.9.5
> 
> So is there a way we can build python (ex 3.9.5) which is already carrying 
> libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - 
> fixed security issues).
> 
> Another solution when we searched over the net and from the mails what we 
> came to know is we need to wait for Python 3.9.11 where this will be linked 
> to libexpat 2.4.6.
> 
> Any inputs on this will be helpful.
>  
> Are you asking how to link python to an external libexpat instead of the 
> vendored expat inside python?
>  
> Have you tried deleting libexpat 2.2.8 from the python source code and 
> replacing with the libexpat 2.4.6 and then
> compiling python?
>  
> Are you concerned that you need fixes in the python code to support the 2.4 
> version?
>  
> Barry
>  
>  
> 
> 
> Thanks,
> Raghu
>  
> Internal Use - Confidential
> ___
> Python-Dev mailing list -- python-dev@python.org
> To unsubscribe send an email to python-dev-le...@python.org
> https://mail.python.org/mailman3/lists/python-dev.python.org/ 
> [mail.python.org]
> Message archived at 
> https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/
>  [mail.python.org]
> Code of Conduct: http://python.org/psf/codeofconduct/ [python.org]
>  
___
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at 
https://mail.python.org/archives/list/python-dev@python.org/message/LR2IF3PBVSMW4U5WLOOEV55RR47IM5WL/
Code of Conduct: http://python.org/psf/codeofconduct/

[Python-Dev] Re: Need Help

2022-02-25 Thread Gregory P. Smith

The embedded copy of expat was recently upgraded to 2.4.6 in
https://bugs.python.org/issue46794 including on the 3.9 branch.  That will
wind up in 3.9.11 per https://www.python.org/dev/peps/pep-0596/.

If you are using 3.9.5 you may also have a host of other potential security
issues that updating to a recent 3.9.x will address. If you are using 3.9.5
as provided by a Linux or similar OS distribution, I'd expect the OS distro
packager to be applying relevant patches to it themselves (some distros
link to their own managed libexpat instead of using the embedded version)
even if they don't change the version number.

-gps

On Fri, Feb 25, 2022 at 11:43 AM Prasad, PCRaghavendra <
pcraghavendra.pra...@dell.com> wrote:

> Hi All,
>
> we are using the python 3.9.5 version in our application.
>
>
>
> In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck
> scan, it is showing critical vulnerabilities in libexpat 2.2.8.
>
>
>
> (CVE-2022-22824
>
> CVE-2022-23990
>
> CVE-2022-23852
>
> CVE-2022-25236
>
> CVE-2022-22823)
>
>
> when there are any issues ( security issues ) in external modules like
> OpenSSL, bzip2, and zlib we were able to get the latest code and build as
> it is straightforward, but libexpat is an internal module to the python and
> we don't see how we can upgrade libexpat alone in python 3.9.5
>
> So is there a way we can build python (ex 3.9.5) which is already carrying
> libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 -
> fixed security issues).
>
> Another solution when we searched over the net and from the mails what we
> came to know is we need to wait for Python 3.9.11 where this will be linked
> to libexpat 2.4.6.
>
> Any inputs on this will be helpful.
>
> Thanks,
>
> Raghu
>
> Internal Use - Confidential
> ___
> Python-Dev mailing list -- python-dev@python.org
> To unsubscribe send an email to python-dev-le...@python.org
> https://mail.python.org/mailman3/lists/python-dev.python.org/
> Message archived at
> https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/
> Code of Conduct: http://python.org/psf/codeofconduct/
>
___
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at 
https://mail.python.org/archives/list/python-dev@python.org/message/64FLSLO7KN2Q6UDFXAJEX5LPOUJ32NKL/
Code of Conduct: http://python.org/psf/codeofconduct/

[Python-Dev] Re: Need Help

2022-02-25 Thread Prasad, PCRaghavendra

Hi Scott,

Thanks for the reply

Are you asking how to link python to an external libexpat instead of the vendor 
expat inside python?

>> yes, we have done for some of the external libs like OpenSSL, bzip2 but 
>> libexpat was an internal module to python so how to link to the latest expat 
>> lib/code without changing the python version was our doubt.

Have you tried deleting libexpat 2.2.8 from the python source code and 
replacing it with the libexpat 2.4.6 and then
compiling python?

>> No, do you mean hear removing the files ( python\Modules\expat ) folder and 
>> replacing the new files from libexpat 2.4.6. we didn't do that
We didn't know whether that is the right way of doing it and if there are any 
incompatibilities to the python version (3.9.5)

Are you concerned that you need fixes in the python code to support the 2.4 
version?

>> Yes our application is running with python 3.9.5 and it internal contains 
>> libexpat 2.2.8 that has security vulnerabilities
One way is to upgrade the python to the latest version where the libexpat 
issues are fixed ( maybe 3.9.11).

What is the best approach so that there will be no major issues.

Thanks,
Raghu

Internal Use - Confidential
From: Barry Scott 
Sent: Saturday, February 26, 2022 3:08 AM
To: Prasad, PCRaghavendra
Cc: Python-Dev@python.org
Subject: Re: [Python-Dev] Need Help

[EXTERNAL EMAIL]

On 25 Feb 2022, at 12:58, Prasad, PCRaghavendra 
mailto:pcraghavendra.pra...@dell.com>> wrote:

Hi All,

we are using the python 3.9.5 version in our application.

In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, it 
is showing critical vulnerabilities in libexpat 2.2.8.

(CVE-2022-22824
CVE-2022-23990
CVE-2022-23852
CVE-2022-25236
CVE-2022-22823)

when there are any issues ( security issues ) in external modules like OpenSSL, 
bzip2, and zlib we were able to get the latest code and build as it is 
straightforward, but libexpat is an internal module to the python and we don't 
see how we can upgrade libexpat alone in python 3.9.5

So is there a way we can build python (ex 3.9.5) which is already carrying 
libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - 
fixed security issues).

Another solution when we searched over the net and from the mails what we came 
to know is we need to wait for Python 3.9.11 where this will be linked to 
libexpat 2.4.6.

Any inputs on this will be helpful.

Are you asking how to link python to an external libexpat instead of the 
vendored expat inside python?

Have you tried deleting libexpat 2.2.8 from the python source code and 
replacing with the libexpat 2.4.6 and then
compiling python?

Are you concerned that you need fixes in the python code to support the 2.4 
version?

Barry

Thanks,
Raghu

Internal Use - Confidential
___
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to 
python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/ 
[mail.python.org]
Message archived at 
https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/

[mail.python.org]
Code of Conduct: http://python.org/psf/codeofconduct/ 
[python.org]

___
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at 
https://mail.python.org/archives/list/python-dev@python.org/message/TIJEEHEXSNQMVMFIWK3S2DY744YN4DSS/
Code of Conduct: http://python.org/psf/codeofconduct/

[Python-Dev] Re: Need Help

2022-02-25 Thread Barry Scott



> On 25 Feb 2022, at 12:58, Prasad, PCRaghavendra 
>  wrote:
> 
> Hi All,
> 
> we are using the python 3.9.5 version in our application.
>  
> In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, 
> it is showing critical vulnerabilities in libexpat 2.2.8.
>  
> (CVE-2022-22824
> CVE-2022-23990
> CVE-2022-23852
> CVE-2022-25236
> CVE-2022-22823)
> 
> when there are any issues ( security issues ) in external modules like 
> OpenSSL, bzip2, and zlib we were able to get the latest code and build as it 
> is straightforward, but libexpat is an internal module to the python and we 
> don't see how we can upgrade libexpat alone in python 3.9.5
> 
> So is there a way we can build python (ex 3.9.5) which is already carrying 
> libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - 
> fixed security issues).
> 
> Another solution when we searched over the net and from the mails what we 
> came to know is we need to wait for Python 3.9.11 where this will be linked 
> to libexpat 2.4.6.
> 
> Any inputs on this will be helpful.

Are you asking how to link python to an external libexpat instead of the 
vendored expat inside python?

Have you tried deleting libexpat 2.2.8 from the python source code and 
replacing with the libexpat 2.4.6 and then
compiling python?

Are you concerned that you need fixes in the python code to support the 2.4 
version?

Barry


> 
> Thanks,
> Raghu
> 
> Internal Use - Confidential
> ___
> Python-Dev mailing list -- python-dev@python.org 
> 
> To unsubscribe send an email to python-dev-le...@python.org 
> 
> https://mail.python.org/mailman3/lists/python-dev.python.org/ 
> 
> Message archived at 
> https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/
>  
> 
> Code of Conduct: http://python.org/psf/codeofconduct/ 
> 
___
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at 
https://mail.python.org/archives/list/python-dev@python.org/message/GSI2MC5VGPU24SOZIDINGBCOD3NFM5S4/
Code of Conduct: http://python.org/psf/codeofconduct/

[Python-Dev] Need Help

2022-02-25 Thread Prasad, PCRaghavendra

Hi All,

we are using the python 3.9.5 version in our application.

In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, it 
is showing critical vulnerabilities in libexpat 2.2.8.

(CVE-2022-22824
CVE-2022-23990
CVE-2022-23852
CVE-2022-25236
CVE-2022-22823)

when there are any issues ( security issues ) in external modules like OpenSSL, 
bzip2, and zlib we were able to get the latest code and build as it is 
straightforward, but libexpat is an internal module to the python and we don't 
see how we can upgrade libexpat alone in python 3.9.5

So is there a way we can build python (ex 3.9.5) which is already carrying 
libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - 
fixed security issues).

Another solution when we searched over the net and from the mails what we came 
to know is we need to wait for Python 3.9.11 where this will be linked to 
libexpat 2.4.6.

Any inputs on this will be helpful.

Thanks,
Raghu


Internal Use - Confidential
___
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at 
https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/
Code of Conduct: http://python.org/psf/codeofconduct/

[Python-Dev] Summary of Python tracker Issues

2022-02-25 Thread Python tracker



ACTIVITY SUMMARY (2022-02-18 - 2022-02-25)
Python tracker at https://bugs.python.org/

To view or respond to any of the issues listed below, click on the issue.
Do NOT respond to this message.

Issues counts and deltas:
  open7220 ( +2)
  closed 51363 (+64)
  total  58583 (+66)

Open issues with patches: 2939 


Issues opened (46)
==

#46793: expose expat XML billion laughs attack mitigation APIs
https://bugs.python.org/issue46793  opened by gregory.p.smith

#46794: Please update bundled libexpat to 2.4.6 with security fixes (5
https://bugs.python.org/issue46794  opened by sping

#46797: ast.Constant.n deprecated without warning
https://bugs.python.org/issue46797  opened by jwilk

#46798: xml.etree.ElementTree: get() doesn't return default value, alw
https://bugs.python.org/issue46798  opened by padremayi

#46799: ShareableList memory bloat and performance improvement
https://bugs.python.org/issue46799  opened by tcl326

#46803: Item not shown when using mouse wheel to scroll for Listbox/Co
https://bugs.python.org/issue46803  opened by Jason990420

#46805: Add low level UDP socket functions to asyncio
https://bugs.python.org/issue46805  opened by alex.gronholm

#46806: Overlapping PYTHONPATH may cause import already imported modul
https://bugs.python.org/issue46806  opened by aklajnert

#46808: remove NEXT_BLOCK() from compile.c
https://bugs.python.org/issue46808  opened by iritkatriel

#46809: copy.deepcopy can fail with unhelpful diagnostics
https://bugs.python.org/issue46809  opened by remdragon

#46810: multiprocessing.connection.Client doesn't support ipv6
https://bugs.python.org/issue46810  opened by mhupfer

#46811: Test suite needs adjustments for Expat >=2.4.5
https://bugs.python.org/issue46811  opened by sping

#46812: Thread starvation with threading.Condition
https://bugs.python.org/issue46812  opened by msg555

#46814: Documentation for constructing abstract base classes is mislea
https://bugs.python.org/issue46814  opened by Yoshanuikabundi

#46815: Extra `DeprecationWarning` when running `lib2to3` tests
https://bugs.python.org/issue46815  opened by sobolevn

#46816: Remove declarations for non-__STDC__ compilers
https://bugs.python.org/issue46816  opened by arhadthedev

#46817: Add a line-start table to the code object.
https://bugs.python.org/issue46817  opened by Mark.Shannon

#46823: Add LOAD_FAST__LOAD_ATTR_INSTACE_VALUE combined opcode
https://bugs.python.org/issue46823  opened by Dennis Sweeney

#46824: use AI_NUMERICHOST | AI_NUMERICSERV to skip getaddrinfo thread
https://bugs.python.org/issue46824  opened by graingert

#46826: prefixes argument to site.getsitepackages() missing documentat
https://bugs.python.org/issue46826  opened by asnell

#46828: math.prod can return integers (contradicts doc)
https://bugs.python.org/issue46828  opened by neilwebber

#46829: Confusing CancelError message if multiple cancellations are sc
https://bugs.python.org/issue46829  opened by asvetlov

#46831: Outdated comment for __build_class__ in compile.c
https://bugs.python.org/issue46831  opened by hauntsaninja

#46832: unicodeobject.c doesn't compile when defined EXPERIMENTAL_ISOL
https://bugs.python.org/issue46832  opened by moytrage

#46833: Installer Wizard is unclear and has redundant settings
https://bugs.python.org/issue46833  opened by buhtz

#46834: test_gdb started to fail on buildbot/s390x RHEL7
https://bugs.python.org/issue46834  opened by sobolevn

#46835: ImportError: bad magic number in ... does not indicate where i
https://bugs.python.org/issue46835  opened by hroncok

#46836: [C API] Move PyFrameObject to the internal C API
https://bugs.python.org/issue46836  opened by vstinner

#46838: Parameters and arguments parser syntax error improvments
https://bugs.python.org/issue46838  opened by Andy_kl

#46840: xmlrpc.client.ServerProxy shows password in __repr__ when usin
https://bugs.python.org/issue46840  opened by perrinjerome

#46841: Inline bytecode caches
https://bugs.python.org/issue46841  opened by brandtbucher

#46842: py to pyc location mapping with sys.pycache_prefix isn't 1-to-
https://bugs.python.org/issue46842  opened by benrg

#46843: PersistentTaskGroup API
https://bugs.python.org/issue46843  opened by achimnol

#46845: dict: Use smaller entry for Unicode-key only dict.
https://bugs.python.org/issue46845  opened by methane

#46846: functools.partial objects should set __signature__ and _annota
https://bugs.python.org/issue46846  opened by larry

#46847: functools.update_wrapper doesn't understand partial objects an
https://bugs.python.org/issue46847  opened by larry

#46848: Use optimized string search function in mmap.find()
https://bugs.python.org/issue46848  opened by rumpelsepp

#46849: Memory problems detected using Valgrind
https://bugs.python.org/issue46849  opened by sxt1001

#46850: [C API] Move _PyEval_EvalFrameDefault() to the internal C API
https://bugs.python.org/issue46850  opened by vstinner

#46851: Document

[Python-Dev] Re: Need Help

[Python-Dev] Re: Need Help

[Python-Dev] Re: Need Help

[Python-Dev] Re: Need Help

[Python-Dev] Need Help

[Python-Dev] Summary of Python tracker Issues

6 matches

Site Navigation

Mail list logo

Footer information