New submission from STINNER Victor <vstin...@python.org>:
Our vendored copy of Modules/expat/ should be updated to Expat 2.4.1 to retrieve the fix for the security vulnerabily CVE-2013-0340 "Billion Laughs": https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/ The table of vulnerabilities in Python XML parsers should be updated as well: https://docs.python.org/dev/library/xml.html#xml-vulnerabilities My outdated notes on Modules/expat/: copy of libexpat * ./configure --with-system-expat * Rationale: https://mail.python.org/pipermail/python-dev/2017-June/148287.html * Used on Windows and macOS, Linux distributions use system libexpat * Version: search for XML_MAJOR_VERSION in Modules/expat/expat.h * Script to update it: see attached script to https://bugs.python.org/issue30947 * Recent update: https://bugs.python.org/issue30947 * Python 2.7, 3.3-3.6 use libexpat 2.2.1 https://pythondev.readthedocs.io/files.html ---------- components: Extension Modules messages: 395634 nosy: vstinner priority: normal severity: normal status: open title: [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Updated to vendoed copy to expat 2.4.1 type: security versions: Python 3.10, Python 3.11, Python 3.6, Python 3.7, Python 3.8, Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue44394> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com