[issue30610] Python's libexpat vulnerable to CVE-2016-0718

2017-06-12 Thread Ned Deily
Ned Deily added the comment: I am closing this issue as a duplicate of the existing Issue29591. We can retitle the PR to be associated with it. And I am making Issue29591 a release blocker for 3.6.2; regardless of what we decide to for 3.7, we're not going to drop the embedded copies of expat

[issue30610] Python's libexpat vulnerable to CVE-2016-0718

2017-06-09 Thread STINNER Victor
STINNER Victor added the comment: I opened a thread on python-dev to ask if we could drop our embedded copy of libexpat: https://mail.python.org/pipermail/python-dev/2017-June/148287.html -- ___ Python tracker ___

[issue30610] Python's libexpat vulnerable to CVE-2016-0718

2017-06-09 Thread Stéphane Wirtel
Stéphane Wirtel added the comment: Yep, it's similar -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https:/

[issue30610] Python's libexpat vulnerable to CVE-2016-0718

2017-06-09 Thread Ned Deily
Ned Deily added the comment: Isn't this a duplicate of Issue29591 ? -- nosy: +ned.deily ___ Python tracker ___ ___ Python-bugs-list ma

[issue30610] Python's libexpat vulnerable to CVE-2016-0718

2017-06-09 Thread Stéphane Wirtel
Stéphane Wirtel added the comment: I have checked in 3.4, 3.5 and 3.6, it's the version 2.1.1 excepted for 2.7, 3.3 it's the version 2.1.0 -- nosy: +matrixise ___ Python tracker ___

[issue30610] Python's libexpat vulnerable to CVE-2016-0718

2017-06-09 Thread Stéphane Wirtel
Changes by Stéphane Wirtel : -- versions: +Python 2.7, Python 3.3, Python 3.4, Python 3.5, Python 3.6, Python 3.7 ___ Python tracker ___

[issue30610] Python's libexpat vulnerable to CVE-2016-0718

2017-06-09 Thread Stéphane Wirtel
Changes by Stéphane Wirtel : -- pull_requests: +2087 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://ma

[issue30610] Python's libexpat vulnerable to CVE-2016-0718

2017-06-09 Thread Duy Phan Thanh
Duy Phan Thanh added the comment: According to their changelog here https://github.com/libexpat/libexpat/blob/master/expat/Changes The vulnerability was fixed in expat 2.2.0 and yes it does not affect system that use --with-system-expat. -- ___ Pyth

[issue30610] Python's libexpat vulnerable to CVE-2016-0718

2017-06-09 Thread STINNER Victor
STINNER Victor added the comment: I add this vulnerability to Python security document: http://python-security.readthedocs.io/vuln/cve-2016-0718_expat_bug_537.html -- ___ Python tracker

[issue30610] Python's libexpat vulnerable to CVE-2016-0718

2017-06-09 Thread STINNER Victor
STINNER Victor added the comment: What is the first expat version which isn't vulnerable? I guess that this issue only impacts platforms which don't use --with-system-expat. Linux distributions use the system expat library for example. Currently, the Python master branch embeds a copy of expa

[issue30610] Python's libexpat vulnerable to CVE-2016-0718

2017-06-09 Thread Duy Phan Thanh
Changes by Duy Phan Thanh : -- title: libexpat vulnerable to CVE-2016-0718 -> Python's libexpat vulnerable to CVE-2016-0718 ___ Python tracker ___ __