Please upgrade bundled Expat to 2.6.3 (e.g. for the fixes to CVE-2024-45490, CVE-2024-45491 and CVE-2024-45492) · Issue #123678 · python/cpython (original) (raw)

Bug report

Bug description:

Hi! 👋

Please upgrade bundled Expat to 2.6.3 (e.g. for the fixes to CVE-2024-45490, CVE-2024-45491 and CVE-2024-45492).

• GitHub release: https://github.com/libexpat/libexpat/releases/tag/R_2_6_3
• Change log: https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes

The CPython issue for previous 2.6.2 was #116741 and the related merged main pull request was #117296, in case you want to have a look. The Dockerfile from comment #117296 (review) could be of help with raising confidence in a bump pull request when going forward.

Thanks in advance!

CPython versions tested on:

3.8, 3.9, 3.10, 3.11, 3.12, 3.13, CPython main branch

Operating systems tested on:

Linux, macOS, Windows, Other

Linked PRs

• gh-123678: Upgrade libexpat 2.6.3 #123689
• [3.13] gh-123678: Upgrade libexpat 2.6.3 #123705
• [3.12] gh-123678: Upgrade libexpat 2.6.3 #123706
• [3.13] gh-123678: Upgrade libexpat 2.6.3 (GH-123689) #123707
• [3.12] gh-123678: Upgrade libexpat 2.6.3 (GH-123689) #123708
• [3.11] gh-123678: Upgrade libexpat 2.6.3 #123709
• [3.10] gh-123678: Upgrade libexpat 2.6.3 #123710
• [3.9] gh-123678: Upgrade libexpat 2.6.3 #123711
• [3.8] gh-123678: Upgrade libexpat 2.6.3 #123712