Expat 2.2.3¶
Expat 2.2.2 was released with multiple security fixes:
- #43: Protect against compilation without any source of high quality entropy enabled, e.g. with CMake build system
- #60: Windows with _UNICODE: Unintended use of LoadLibraryW with a non-wide string resulted in failure to load advapi32.dll and degradation in quality of used entropy when compiled with _UNICODE for Windows; you can launch existing binaries with EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the quality of entropy used during runtime
- [MOX-006]: Fix non-NULL parser parameter validation in XML_Parse; resulted in NULL dereference, previously
Expat 2.2.3 contains an additional security fix: #82: CVE-2017-11742 – Windows: Fix DLL hijacking vulnerability using Steve Holme’s LoadLibrary wrapper for/of cURL
- Disclosure date: 2017-07-17 (Python issue bpo-30947 reported)
Fixed In¶
- Python 2.7.14 (2017-09-17) fixed by commit ec4ab09 (branch 2.7) (2017-08-18)
- Python 3.3.7 (2017-09-19) fixed by commit 297516e (branch 3.3) (2017-09-06)
- Python 3.4.8 (2018-02-04) fixed by commit 86a713c (branch 3.4) (2017-09-24)
- Python 3.5.5 (2018-02-04) fixed by commit f2492bb (branch 3.5) (2017-09-25)
- Python 3.6.3 (2017-10-03) fixed by commit 83e37e1 (branch 3.6) (2017-08-18)
- Python 3.7.0 (2018-06-28) fixed by commit 93d0cb5 (branch 3.7) (2017-08-18)
Python issue¶
Update embeded copy of libexpat from 2.2.1 to 2.2.3.
- Python issue: bpo-30947
- Creation date: 2017-07-17
- Reporter: STINNER Victor
Timeline¶
Timeline using the disclosure date 2017-07-17 as reference:
- 2017-07-17: Python issue bpo-30947 reported by STINNER Victor
- 2017-08-18 (+32 days): commit 83e37e1 (branch 3.6)
- 2017-08-18 (+32 days): commit 93d0cb5 (branch 3.7)
- 2017-08-18 (+32 days): commit ec4ab09 (branch 2.7)
- 2017-09-06 (+51 days): commit 297516e (branch 3.3)
- 2017-09-17 (+62 days): Python 2.7.14 released
- 2017-09-19 (+64 days): Python 3.3.7 released
- 2017-09-24 (+69 days): commit 86a713c (branch 3.4)
- 2017-09-25 (+70 days): commit f2492bb (branch 3.5)
- 2017-10-03 (+78 days): Python 3.6.3 released
- 2018-02-04 (+202 days): Python 3.4.8 released
- 2018-02-04 (+202 days): Python 3.5.5 released
- 2018-06-28: Python 3.7.0 released