[New-bugs-announce] [issue29591] Various security vulnerabilities in bundled expat
Natanael Copa
report at bugs.python.org
Fri Feb 17 10:39:39 EST 2017
New submission from Natanael Copa:
cpython bundles expat in Modules/expat/ and needs to be updated to expat-2.2.0 to fix various security vulnerabilities.
21 June 2016, Expat 2.2.0 released.
Release 2.2.0 includes security & other bug fixes.
Security fixes
CVE-2016-0718 (issue 537)
Fix crash on malformed input
CVE-2016-4472
Improve insufficient fix to CVE-2015-1283 / CVE-2015-2716 introduced with Expat 2.1.1
CVE-2016-5300 (issue 499)
Use more entropy for hash initialization than the original fix to CVE-2012-0876
CVE-2012-6702 (issue 519)
Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 (issue 496)
Fix should be applied to all maintained python branches.
----------
messages: 288014
nosy: Natanael Copa
priority: normal
severity: normal
status: open
title: Various security vulnerabilities in bundled expat
type: security
versions: Python 2.7, Python 3.3, Python 3.4, Python 3.5, Python 3.6, Python 3.7
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29591>
_______________________________________
More information about the New-bugs-announce
mailing list