Hi Scott,
Thanks for the reply
Are you asking how to link python to an external libexpat instead of the vendor
expat inside python?
>> yes, we have done for some of the external libs like OpenSSL, bzip2 but
>> libexpat was an internal module to python so how to link to the latest expat
>> lib/code without changing the python version was our doubt.
Have you tried deleting libexpat 2.2.8 from the python source code and
replacing it with the libexpat 2.4.6 and then
compiling python?
>> No, do you mean hear removing the files ( python\Modules\expat ) folder and
>> replacing the new files from libexpat 2.4.6. we didn't do that
We didn't know whether that is the right way of doing it and if there are any
incompatibilities to the python version (3.9.5)
Are you concerned that you need fixes in the python code to support the 2.4
version?
>> Yes our application is running with python 3.9.5 and it internal contains
>> libexpat 2.2.8 that has security vulnerabilities
One way is to upgrade the python to the latest version where the libexpat
issues are fixed ( maybe 3.9.11).
What is the best approach so that there will be no major issues.
Thanks,
Raghu
Internal Use - Confidential
From: Barry Scott
Sent: Saturday, February 26, 2022 3:08 AM
To: Prasad, PCRaghavendra
Cc: Python-Dev@python.org
Subject: Re: [Python-Dev] Need Help
[EXTERNAL EMAIL]
On 25 Feb 2022, at 12:58, Prasad, PCRaghavendra
mailto:pcraghavendra.pra...@dell.com>> wrote:
Hi All,
we are using the python 3.9.5 version in our application.
In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, it
is showing critical vulnerabilities in libexpat 2.2.8.
(CVE-2022-22824
CVE-2022-23990
CVE-2022-23852
CVE-2022-25236
CVE-2022-22823)
when there are any issues ( security issues ) in external modules like OpenSSL,
bzip2, and zlib we were able to get the latest code and build as it is
straightforward, but libexpat is an internal module to the python and we don't
see how we can upgrade libexpat alone in python 3.9.5
So is there a way we can build python (ex 3.9.5) which is already carrying
libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 -
fixed security issues).
Another solution when we searched over the net and from the mails what we came
to know is we need to wait for Python 3.9.11 where this will be linked to
libexpat 2.4.6.
Any inputs on this will be helpful.
Are you asking how to link python to an external libexpat instead of the
vendored expat inside python?
Have you tried deleting libexpat 2.2.8 from the python source code and
replacing with the libexpat 2.4.6 and then
compiling python?
Are you concerned that you need fixes in the python code to support the 2.4
version?
Barry
Thanks,
Raghu
Internal Use - Confidential
___
Python-Dev mailing list -- python-dev@python.org<mailto:python-dev@python.org>
To unsubscribe send an email to
python-dev-le...@python.org<mailto:python-dev-le...@python.org>
https://mail.python.org/mailman3/lists/python-dev.python.org/
[mail.python.org]<https://urldefense.com/v3/__https:/mail.python.org/mailman3/lists/python-dev.python.org/__;!!LpKI!yHNiEUnxG5yfnxGC0naB83gqhWXVEusoVRumcoS8FxeXPHQdEAdwyNKeso27h8GaFVyAaDw$>
Message archived at
https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/
[mail.python.org]<https://urldefense.com/v3/__https:/mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/__;!!LpKI!yHNiEUnxG5yfnxGC0naB83gqhWXVEusoVRumcoS8FxeXPHQdEAdwyNKeso27h8GaaW2106M$>
Code of Conduct: http://python.org/psf/codeofconduct/
[python.org]<https://urldefense.com/v3/__http:/python.org/psf/codeofconduct/__;!!LpKI!yHNiEUnxG5yfnxGC0naB83gqhWXVEusoVRumcoS8FxeXPHQdEAdwyNKeso27h8GaC-4zeF0$>
___
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at
https://mail.python.org/archives/list/python-dev@python.org/message/TIJEEHEXSNQMVMFIWK3S2DY744YN4DSS/
Code of Conduct: http://python.org/psf/codeofconduct/
