Expat 2.2.3

Expat 2.2.2 was released with multiple security fixes:

  • #43: Protect against compilation without any source of high quality entropy enabled, e.g. with CMake build system
  • #60: Windows with _UNICODE: Unintended use of LoadLibraryW with a non-wide string resulted in failure to load advapi32.dll and degradation in quality of used entropy when compiled with _UNICODE for Windows; you can launch existing binaries with EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the quality of entropy used during runtime
  • [MOX-006]: Fix non-NULL parser parameter validation in XML_Parse; resulted in NULL dereference, previously

Expat 2.2.3 contains an additional security fix: #82: CVE-2017-11742 – Windows: Fix DLL hijacking vulnerability using Steve Holme’s LoadLibrary wrapper for/of cURL


  • Disclosure date: 2017-07-17 (Python issue bpo-30947 reported)

Fixed In

Python issue

Update embeded copy of libexpat from 2.2.1 to 2.2.3.

  • Python issue: bpo-30947
  • Creation date: 2017-07-17
  • Reporter: STINNER Victor


Timeline using the disclosure date 2017-07-17 as reference: