New submission from Gregory P. Smith <g...@krypto.org>: As pointed out in #14234, our embedded copy of expat used by pyexpat for xml parsing in Modules/expat/ is out of date. There have been many fixes to expat that we have not applied including a few potential crash and security fixes.
We should upgrade it wholesale to the latest version for 3.3. Someone should also audit expat changes to see if there are security fixes for expat that should be backported to 2.6/2.7/3.1/3.2 as platforms without a system expat such as Windows (and 2.6 and 3.1) will contain those problems. I am marking this a release blocker for 3.3 to ensure expat is updated before then. I would *not* hold up the existing round of release candidates for this, the next security+bugfix updates can contain these changes. ---------- components: Extension Modules messages: 156087 nosy: Arfrever, Jim.Jewett, amaury.forgeotdarc, barry, benjamin.peterson, dmalcolm, georg.brandl, gregory.p.smith, pitrou priority: release blocker severity: normal status: open title: Update embedded copy of expat - fix security & crash issues type: security versions: Python 3.3 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue14340> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
