The embedded copy of expat was recently upgraded to 2.4.6 in https://bugs.python.org/issue46794 including on the 3.9 branch. That will wind up in 3.9.11 per https://www.python.org/dev/peps/pep-0596/.
If you are using 3.9.5 you may also have a host of other potential security issues that updating to a recent 3.9.x will address. If you are using 3.9.5 as provided by a Linux or similar OS distribution, I'd expect the OS distro packager to be applying relevant patches to it themselves (some distros link to their own managed libexpat instead of using the embedded version) even if they don't change the version number. -gps On Fri, Feb 25, 2022 at 11:43 AM Prasad, PCRaghavendra < pcraghavendra.pra...@dell.com> wrote: > Hi All, > > we are using the python 3.9.5 version in our application. > > > > In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck > scan, it is showing critical vulnerabilities in libexpat 2.2.8. > > > > (CVE-2022-22824 > > CVE-2022-23990 > > CVE-2022-23852 > > CVE-2022-25236 > > CVE-2022-22823) > > > when there are any issues ( security issues ) in external modules like > OpenSSL, bzip2, and zlib we were able to get the latest code and build as > it is straightforward, but libexpat is an internal module to the python and > we don't see how we can upgrade libexpat alone in python 3.9.5 > > So is there a way we can build python (ex 3.9.5) which is already carrying > libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - > fixed security issues). > > Another solution when we searched over the net and from the mails what we > came to know is we need to wait for Python 3.9.11 where this will be linked > to libexpat 2.4.6. > > Any inputs on this will be helpful. > > Thanks, > > Raghu > > Internal Use - Confidential > _______________________________________________ > Python-Dev mailing list -- python-dev@python.org > To unsubscribe send an email to python-dev-le...@python.org > https://mail.python.org/mailman3/lists/python-dev.python.org/ > Message archived at > https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQVVYR67KQRIFF5XEMXDY3FZLMN/ > Code of Conduct: http://python.org/psf/codeofconduct/ >
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/64FLSLO7KN2Q6UDFXAJEX5LPOUJ32NKL/ Code of Conduct: http://python.org/psf/codeofconduct/
