Expat 2.2.3¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.
Expat 2.2.2 was released with multiple security fixes:
- #43: Protect against compilation without any source of high quality entropy enabled, e.g. with CMake build system
- #60: Windows with _UNICODE: Unintended use of LoadLibraryW with a non-wide string resulted in failure to load advapi32.dll and degradation in quality of used entropy when compiled with _UNICODE for Windows; you can launch existing binaries with EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the quality of entropy used during runtime
- [MOX-006]: Fix non-NULL parser parameter validation in XML_Parse; resulted in NULL dereference, previously
Expat 2.2.3 contains an additional security fix: #82: CVE-2017-11742 – Windows: Fix DLL hijacking vulnerability using Steve Holme’s LoadLibrary wrapper for/of cURL
Dates:
- Disclosure date: 2017-07-17 (Python issue bpo-30947 reported)
Fixed In¶
- Python 2.7.14 (2017-09-16) fixed by commit ec4ab09 (branch 2.7) (2017-08-18)
- Python 3.3.7 (2017-09-19) fixed by commit 297516e (branch 3.3) (2017-09-06)
- Python 3.4.8 (2018-02-04) fixed by commit 86a713c (branch 3.4) (2017-09-24)
- Python 3.5.5 (2018-02-04) fixed by commit f2492bb (branch 3.5) (2017-09-25)
- Python 3.6.3 (2017-10-03) fixed by commit 83e37e1 (branch 3.6) (2017-08-18)
- Python 3.7.0 (2018-06-27) fixed by commit 93d0cb5 (branch 3.7) (2017-08-18)
Python issue¶
Update embeded copy of libexpat from 2.2.1 to 2.2.3.
- Python issue: bpo-30947
- Creation date: 2017-07-17
- Reporter: STINNER Victor
Timeline¶
Timeline using the disclosure date 2017-07-17 as reference:
- 2017-07-17: Python issue bpo-30947 reported by STINNER Victor
- 2017-08-18 (+32 days): commit 83e37e1 (branch 3.6)
- 2017-08-18 (+32 days): commit 93d0cb5 (branch 3.7)
- 2017-08-18 (+32 days): commit ec4ab09 (branch 2.7)
- 2017-09-06 (+51 days): commit 297516e (branch 3.3)
- 2017-09-16 (+61 days): Python 2.7.14 released
- 2017-09-19 (+64 days): Python 3.3.7 released
- 2017-09-24 (+69 days): commit 86a713c (branch 3.4)
- 2017-09-25 (+70 days): commit f2492bb (branch 3.5)
- 2017-10-03 (+78 days): Python 3.6.3 released
- 2018-02-04 (+202 days): Python 3.4.8 released
- 2018-02-04 (+202 days): Python 3.5.5 released
- 2018-06-27: Python 3.7.0 released