[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Jeremy Kloth added the comment: Added pull_request2355 to address issues from upgrading to Expat 2.2.0 on Windows 2.7 -- nosy: +jkloth ___ Python tracker

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Changes by Jeremy Kloth : -- pull_requests: +2355 ___ Python tracker ___

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Ned Deily added the comment: FYI, expat 2.2.1 has now been released. See Issue30694 for details. -- ___ Python tracker ___

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Ned Deily added the comment: Thanks, Victor, for seeing this through and thanks, everyone else, for the reviews and assistance. -- ___ Python tracker

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

STINNER Victor added the comment: New changeset 8c797ed8a0fea5e3162b9415f13e270d4d5d9549 by Victor Stinner in branch '3.5': bpo-29591: Upgrade Modules/expat to libexpat 2.2 (#2164) (#2201) https://github.com/python/cpython/commit/8c797ed8a0fea5e3162b9415f13e270d4d5d9549 --

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

STINNER Victor added the comment: New changeset 0e4571a68a7f48e8469ef05b04ba3463d3fd82c0 by Victor Stinner in branch '2.7': bpo-29591: Upgrade Modules/expat to libexpat 2.2 (#2164) (#2202) https://github.com/python/cpython/commit/0e4571a68a7f48e8469ef05b04ba3463d3fd82c0 --

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

STINNER Victor added the comment: @Ned Deily: I removed the "release blocker" flag, since I just merged my PR to update libexpat to 2.2 in the Python 3.6 branch. -- priority: release blocker -> ___ Python tracker

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

STINNER Victor added the comment: New changeset 86b95370c45dedb8a56c9894372a43681de47a73 by Victor Stinner in branch '3.6': bpo-29591: Upgrade Modules/expat to libexpat 2.2 (#2164) (#2200) https://github.com/python/cpython/commit/86b95370c45dedb8a56c9894372a43681de47a73 --

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

STINNER Victor added the comment: Python 3.3 currently embeds a copy of libexpat 2.1.0, wheras other branches have libexpat 2.1.1: http://python-security.readthedocs.io/vuln/issue_26556_expat_2.1.1.html -- ___ Python tracker

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Changes by STINNER Victor : -- pull_requests: +2248 ___ Python tracker ___ ___

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Changes by STINNER Victor : -- nosy: +georg.brandl versions: +Python 3.3, Python 3.4 ___ Python tracker ___

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Changes by STINNER Victor : -- pull_requests: +2247 ___ Python tracker ___ ___

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Changes by STINNER Victor : -- pull_requests: +2246 ___ Python tracker ___ ___

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Changes by STINNER Victor : -- pull_requests: +2245 ___ Python tracker ___ ___

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Changes by STINNER Victor : -- pull_requests: +2244 ___ Python tracker ___ ___

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

STINNER Victor added the comment: New changeset 23ec4b57e1359f9c539b8defc317542173ae087e by Victor Stinner in branch 'master': bpo-29591: Upgrade Modules/expat to libexpat 2.2 (#2164) https://github.com/python/cpython/commit/23ec4b57e1359f9c539b8defc317542173ae087e --

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

STINNER Victor added the comment: I upgraded Modules/expat/ to expat 2.2 using attached rebuild_expat_dir.sh script: https://github.com/python/cpython/pull/2164 TODO: Should be done later in the master branch, once the security fix is handled. * Drop support for VMS? VMS support removed from

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Changes by STINNER Victor : -- pull_requests: +2215 ___ Python tracker ___ ___

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Changes by Ned Deily : -- nosy: +matrixise ___ Python tracker ___ ___ Python-bugs-list

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Ned Deily added the comment: Note that a duplicate of this issue was opened as Issue30610 and @matrixise was working on a PR there to update the embedded expat to 2.2.0. Since there are CVE's and a demo crash supplied in Issue30610, it seems to me we need to fix this for 3.6.2rc1 so I'm

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

STINNER Victor added the comment: I'm working on a new documentation of Python vulnerabilities to help to handle such issue: http://python-security.readthedocs.io/en/latest/vulnerabilities.html -- ___ Python tracker

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Changes by Natanael Copa : -- title: Various security vulnerabilities in bundled expat -> Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472) ___ Python tracker

[issue29591] Various security vulnerabilities in bundled expat

Changes by Christian Heimes : -- assignee: -> christian.heimes components: +XML stage: -> needs patch versions: -Python 3.3, Python 3.4 ___ Python tracker

[issue29591] Various security vulnerabilities in bundled expat

Christian Heimes added the comment: CVE-2016-0718 and CVE-2016-4472 might be relevant for Python. CVE-2016-5300 and CVE-2012-6702 are irrelevant. As Victor already pointed out, Python seeds libexpat from a good CPRNG. -- ___ Python tracker

[issue29591] Various security vulnerabilities in bundled expat

Changes by Chi Hsuan Yen : -- nosy: +Chi Hsuan Yen ___ Python tracker ___ ___

[issue29591] Various security vulnerabilities in bundled expat

STINNER Victor added the comment: You may want to look also at https://pypi.python.org/pypi/defusedxml -- ___ Python tracker ___

[issue29591] Various security vulnerabilities in bundled expat

STINNER Victor added the comment: > CVE-2012-6702 (issue 519) > Resolve troublesome internal call to srand that was introduced with Expat > 2.1.0 when addressing CVE-2012-0876 (issue 496) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702 Extract of Modules/pyexpat.c: --- #if

[issue29591] Various security vulnerabilities in bundled expat

New submission from Natanael Copa: cpython bundles expat in Modules/expat/ and needs to be updated to expat-2.2.0 to fix various security vulnerabilities. 21 June 2016, Expat 2.2.0 released. Release 2.2.0 includes security & other bug fixes. Security fixes CVE-2016-0718 (issue 537) Fix crash