[issue17239] XML vulnerabilities in Python
STINNER Victor
report at bugs.python.org
Mon Sep 17 19:11:11 EDT 2018
STINNER Victor <vstinner at redhat.com> added the comment:
> Any reason to not take the current patch for our vendored copy and give it some exposure at least on platforms that rely on it (maybe just Windows)? I don't see any reason to wait on another group to "release" it when we need to manually apply the update to our own repo anyway.
My policy is upstream fix: first, get a change merged upstream.
If we start with a downstream patch:
* only Windows and macOS will get the fix
* upstream may require changes making the change incompatible, for example change the default limits
* I would prefer to keep Modules/expat/ as close as possible to the upstream
Python is vulnerable for years, it's not like there is an urgency to fix it.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue17239>
_______________________________________
More information about the Python-bugs-list
mailing list