Expat 2.2.3


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

Expat 2.2.2 was released with multiple security fixes:

  • #43: Protect against compilation without any source of high quality entropy enabled, e.g. with CMake build system
  • #60: Windows with _UNICODE: Unintended use of LoadLibraryW with a non-wide string resulted in failure to load advapi32.dll and degradation in quality of used entropy when compiled with _UNICODE for Windows; you can launch existing binaries with EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the quality of entropy used during runtime
  • [MOX-006]: Fix non-NULL parser parameter validation in XML_Parse; resulted in NULL dereference, previously

Expat 2.2.3 contains an additional security fix: #82: CVE-2017-11742 – Windows: Fix DLL hijacking vulnerability using Steve Holme’s LoadLibrary wrapper for/of cURL


  • Disclosure date: 2017-07-17 (Python issue bpo-30947 reported)

Fixed In

Python issue

Update embeded copy of libexpat from 2.2.1 to 2.2.3.

  • Python issue: bpo-30947
  • Creation date: 2017-07-17
  • Reporter: STINNER Victor


Timeline using the disclosure date 2017-07-17 as reference: