CVE-2017-9233: Expat 2.2.1

Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security vulnerabilities including:

  • CVE-2017-9233 (External entity infinite loop DoS),
  • CVE-2016-9063 (Integer overflow, re-fix),
  • CVE-2016-0718 (Fix regression bugs from 2.2.0’s fix to CVE-2016-0718)
  • CVE-2012-0876 (Counter hash flooding with SipHash).

Note: the CVE-2016-5300 (Use os-specific entropy sources like getrandom) doesn’t impact Python, since Python already gets entropy from the OS to set the expat secret using XML_SetHashSalt().

  • Disclosure date: 2017-06-17 (Expat 2.2.1 release)

Fixed In

Vulnerable Versions

  • Python 3.7

Python issue

Update embedded copy of expat to 2.2.1.

  • Python issue: bpo-30694
  • Creation date: 2017-06-18
  • Reporter: Ned Deily


Timeline using the disclosure date 2017-06-17 as reference: