[New-bugs-announce] [issue38174] Security vulnerability in bundled expat CVE-2019-15903 (fix available in expat 2.2.8)
Uche Ogbuji
report at bugs.python.org
Sat Sep 14 16:10:07 EDT 2019
New submission from Uche Ogbuji <uche at ogbuji.net>:
cpython bundles expat in Modules/expat/ and needs to be updated to expat-2.2.8 to security vulnerability CVE-2019-15903.
>From Sebastian Pipping on XML-DEV ML:
Expat 2.2.8 [1] has been released yesterday. This release fixes a
security issue — a heap buffer over-read known as CVE-2019-15903 [2]
reported by Joonun Jang resulting in Denial of Service —, starts using
the rand_s function on Windows and MinGW (ending the previous
LoadLibrary hack), includes non-security bugfixes, many build system
fixes and improvements, improvements to xmlwf usability, and more.
For more details regarding the latest release, please check out the
changelog [3].
If you maintain Expat packaging or a bundled copy of Expat or a pinned
version of Expat somewhere, please update to 2.2.8. Thank you!
[1] https://github.com/libexpat/libexpat/releases/tag/R_2_2_8
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
[3] https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes
----------
components: XML
messages: 352449
nosy: Uche Ogbuji
priority: normal
severity: normal
status: open
title: Security vulnerability in bundled expat CVE-2019-15903 (fix available in expat 2.2.8)
type: security
versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue38174>
_______________________________________
More information about the New-bugs-announce
mailing list