[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Guido van Rossum]

Change by Guido van Rossum :


--
nosy:  -gvanrossum

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Stefan Behnel]

Stefan Behnel  added the comment:

I'd like to ask for clarification regarding issue 45321, which adds the missing 
error constants to the `expat` module. I consider those new features – it seems 
inappropriate to add new module constants in the middle of a release series. 
However, in this ticket here, the libexpat version was updated all the way back 
to Py3.6, to solve a security issue.

Should we also backport the error constants then?

--
nosy: +scoder

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Łukasz Langa]

Łukasz Langa  added the comment:


New changeset 90004fca1cc3c6e3c9b2c3faae5cb1b7d7711648 by Miss Islington (bot) 
in branch '3.8':
[3.8] bpo-44394: Ensure libexpat is linked against libm (GH-28617) (GH-28620)
https://github.com/python/cpython/commit/90004fca1cc3c6e3c9b2c3faae5cb1b7d7711648


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[miss-islington]

Change by miss-islington :


--
pull_requests: +26997
pull_request: https://github.com/python/cpython/pull/28627

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Łukasz Langa]

Łukasz Langa  added the comment:


New changeset 412ae8ab10734b72384c969181919cc4eb154406 by Miss Islington (bot) 
in branch '3.10':
[3.10] bpo-44394: Ensure libexpat is linked against libm (GH-28617) (GH-28621)
https://github.com/python/cpython/commit/412ae8ab10734b72384c969181919cc4eb154406


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Łukasz Langa]

Change by Łukasz Langa :


--
pull_requests: +26996
pull_request: https://github.com/python/cpython/pull/28624

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[miss-islington]

miss-islington  added the comment:


New changeset fafa213870193cf79557588ae8f9a4af570fd6e3 by Miss Islington (bot) 
in branch '3.9':
bpo-44394: Ensure libexpat is linked against libm (GH-28617)
https://github.com/python/cpython/commit/fafa213870193cf79557588ae8f9a4af570fd6e3


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[miss-islington]

Change by miss-islington :


--
pull_requests: +26994
pull_request: https://github.com/python/cpython/pull/28621

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Pablo Galindo Salgado]

Pablo Galindo Salgado  added the comment:


New changeset 6c1154b9de29e1c9cd3d05f5289543e5cff73895 by Pablo Galindo Salgado 
in branch 'main':
bpo-44394: Ensure libexpat is linked against libm (GH-28617)
https://github.com/python/cpython/commit/6c1154b9de29e1c9cd3d05f5289543e5cff73895


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[miss-islington]

Change by miss-islington :


--
pull_requests: +26993
pull_request: https://github.com/python/cpython/pull/28620

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[miss-islington]

Change by miss-islington :


--
pull_requests: +26992
pull_request: https://github.com/python/cpython/pull/28619

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Pablo Galindo Salgado]

Change by Pablo Galindo Salgado :


--
pull_requests: +26988
pull_request: https://github.com/python/cpython/pull/28617

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[sping]

sping  added the comment:

For the AIX link error that Pablo brought up, there is merged pull request 
https://github.com/libexpat/libexpat/pull/510 upstream.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Pablo Galindo Salgado]

Pablo Galindo Salgado  added the comment:

The backport to 3.8 broke 3.8.12 in AIX:


0/Modules/_decimal/libmpdec/sixstep.o 
build/temp.aix-7.1-3.8/tmp/python3.8-3.8.12-0/Modules/_decimal/libmpdec/transpose.o
 -L. -L/opt/bb/lib -L/opt/bb/lib64 -R/opt/bb/lib64 -lm -o 
build/lib.aix-7.1-3.8/_decimal.cpython-38.so

*** WARNING: renaming "pyexpat" since importing it failed: rtld: 0712-001 
Symbol _isnanf was referenced
from module build/lib.aix-7.1-3.8/pyexpat.cpython-38.so(), but a runtime 
definition of the symbol was not found.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Ned Deily]

Ned Deily  added the comment:

PRs merged in 3.7 branch for release in 3.7.12 and in 3.6 branch for release in 
3.6.15.

--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Ned Deily]

Ned Deily  added the comment:


New changeset 910886a6448e4bf1edf49eeace4aa240b6403772 by Ned Deily in branch 
'3.6':
[3.6] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042) (GH-28080)
https://github.com/python/cpython/commit/910886a6448e4bf1edf49eeace4aa240b6403772


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Ned Deily]

Change by Ned Deily :


--
pull_requests: +26523
pull_request: https://github.com/python/cpython/pull/28080

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Ned Deily]

Ned Deily  added the comment:


New changeset 79101b890ee021a901a8b6837a3a320d57adb725 by Łukasz Langa in 
branch '3.7':
[3.7] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042)
https://github.com/python/cpython/commit/79101b890ee021a901a8b6837a3a320d57adb725


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[STINNER Victor]

STINNER Victor  added the comment:

I created https://python-security.readthedocs.io/vuln/expat-billion-laughs.html 
to track this vulnerability.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Łukasz Langa]

Łukasz Langa  added the comment:

3.6 will need a separate backport because it's using expat 2.2.6 at the moment 
(from b2260e59ff1eaf20de4738099005ddf507b7b27d).

3.7 conflicted since it didn't include local changes to the vendored 2.2.8 that 
were introduced in 3.8+. I fixed that, the backport is up.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Łukasz Langa]

Change by Łukasz Langa :


--
pull_requests: +26487
pull_request: https://github.com/python/cpython/pull/28042

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Łukasz Langa]

Łukasz Langa  added the comment:


New changeset 007221a43e566db08c0c5c00756d80dfd9dccafe by Miss Islington (bot) 
in branch '3.9':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28032)
https://github.com/python/cpython/commit/007221a43e566db08c0c5c00756d80dfd9dccafe


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[miss-islington]

miss-islington  added the comment:


New changeset 270678564c16452614a8acd93763bdf64fb4d286 by Miss Islington (bot) 
in branch '3.10':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945)
https://github.com/python/cpython/commit/270678564c16452614a8acd93763bdf64fb4d286


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Łukasz Langa]

Łukasz Langa  added the comment:


New changeset c9c2a0bc9820f93f1020f3498f6893a3544c9b76 by Miss Islington (bot) 
in branch '3.8':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28033)
https://github.com/python/cpython/commit/c9c2a0bc9820f93f1020f3498f6893a3544c9b76


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[miss-islington]

Change by miss-islington :


--
pull_requests: +26477
pull_request: https://github.com/python/cpython/pull/28032

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[Łukasz Langa]

Łukasz Langa  added the comment:


New changeset 3fc5d84046ddbd66abac5b598956ea34605a4e5d by Victor Stinner in 
branch 'main':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945)
https://github.com/python/cpython/commit/3fc5d84046ddbd66abac5b598956ea34605a4e5d


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[miss-islington]

Change by miss-islington :


--
pull_requests: +26478
pull_request: https://github.com/python/cpython/pull/28033

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[miss-islington]

Change by miss-islington :


--
nosy: +miss-islington
nosy_count: 6.0 -> 7.0
pull_requests: +26476
pull_request: https://github.com/python/cpython/pull/28031

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[STINNER Victor]

STINNER Victor  added the comment:

Attached cpython_rebuild_expat_dir.sh script updates Modules/expat/ to our 
libexpat copy to 2.4.1. I used it to create attached PR 26945.

--
Added file: https://bugs.python.org/file50129/cpython_rebuild_expat_dir.sh

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[STINNER Victor]

Change by STINNER Victor :


--
keywords: +patch
pull_requests: +25512
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/26945

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[STINNER Victor]

Change by STINNER Victor :


--
nosy: +lukasz.langa, ned.deily, pablogsal

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

[sping]

Change by sping :


--
title: [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: 
Updated to vendoed copy to expat 2.4.1 -> [security] CVE-2013-0340 "Billion 
Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com