Please upgrade bundled Expat to 2.7.0 (e.g. for the fix to CVE-2024-8176) · Issue #131261 · python/cpython (original) (raw)

Bug report

Bug description:

Hi! 👋

Please upgrade bundled Expat to 2.7.0 (e.g. for the fix to CVE-2024-8176).

• GitHub release: https://github.com/libexpat/libexpat/releases/tag/R_2_7_0
• Change log: https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes
• Bonus: Blog post Recursion kills: The story behind CVE-2024-8176 in libexpat

The CPython issue for previous 2.6.4 was #126623 and the related merged main pull request was #126792, in case you want to have a look. The Dockerfile from comment #123689 (review) could be of help with raising confidence in a bump pull request when going forward.

Thanks in advance!

CC @sethmlarson @gpshead

CPython versions tested on:

3.9, 3.10, 3.11, 3.12, 3.13, 3.14, CPython main branch

Operating systems tested on:

Linux, macOS, Windows, Other

Linked PRs

• gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) #131272
• gh-131261: expat/refresh.sh: Expand list of manual steps #131359
• [3.13] gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (GH-131272) #131360
• [3.12] gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) #131361
• [3.11] gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (GH-131272) #131362
• [3.10] gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (GH-131272) #131363
• [3.9] gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (GH-131272) #131364