[Expat-bugs] Regarding libexpat vulnerabilities
Prasad, PCRaghavendra
Pcraghavendra.Prasad at dell.com
Thu Feb 24 07:06:12 EST 2022
Hi Team,
We are using the python 3.9.5 version, we have upgraded from Python 3.8 to 3.9.5 last year.
In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, it is showing critical vulnerabilities in libexpat 2.2.8.
(CVE-2022-22824
CVE-2022-23990
CVE-2022-23852
CVE-2022-25236
CVE-2022-22823)
The solution is to move to libexpat 2.4.4 earlier this month, now it is showing libexpat 2.4.6.
I searched over the python communities and bugs and found that a few things are fixed.
https://bugs.python.org/issue46400
the above status show it is closed and merged to python for the 2.4.4 version
https://bugs.python.org/issue46794
the above bug is still open, this is for version 2.4.6
So our doubt is which python version we need to upgrade to get the latest libexpat 2.4.6?
Is there any timeline for when this will get merged?
Need your input on this so that we can do the necessary action from our side.
Thanks,
Raghavendra
Internal Use - Confidential
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/expat-bugs/attachments/20220224/8685378c/attachment.html>
More information about the Expat-bugs
mailing list