Skip to content

Please upgrade bundled Expat to 2.7.0 (e.g. for the fix to CVE-2024-8176) #131261

New issue
New issue
Closed
Closed
Please upgrade bundled Expat to 2.7.0 (e.g. for the fix to CVE-2024-8176)#131261
Assignees
gpsheadsethmlarson
Labels
3.10only security fixes3.11only security fixes3.12only security fixes3.13bugs and security fixes3.14bugs and security fixes3.9only security fixesextension-modulesC modules in the Modules dirrelease-blockertopic-XMLtype-securityA security issue
@hartwork

Description

@hartwork
hartwork
opened on Mar 14, 2025 · edited by bedevere-app
Contributor

Bug report

Bug description:

Hi! 👋

Please upgrade bundled Expat to 2.7.0 (e.g. for the fix to CVE-2024-8176).

The CPython issue for previous 2.6.4 was #126623 and the related merged main pull request was #126792, in case you want to have a look. The Dockerfile from comment #123689 (review) could be of help with raising confidence in a bump pull request when going forward.

Thanks in advance!

CC @sethmlarson @gpshead

CPython versions tested on:

3.9, 3.10, 3.11, 3.12, 3.13, 3.14, CPython main branch

Operating systems tested on:

Linux, macOS, Windows, Other

Linked PRs

Activity

hartwork
added
type-bugAn unexpected behavior, bug, or error
on Mar 14, 2025
hartwork
mentioned this on Mar 14, 2025
picnixz
added
topic-XML
type-securityA security issue
3.11only security fixes
3.10only security fixes
3.9only security fixes
3.12only security fixes
3.13bugs and security fixes
3.14bugs and security fixes
extension-modulesC modules in the Modules dir
and removed
type-bugAn unexpected behavior, bug, or error
on Mar 14, 2025
bedevere-app
mentioned this on Mar 15, 2025
gpshead
added
release-blocker
on Mar 15, 2025
ezio-melotti
added this to Release and Deferred blockers 🚫on Mar 15, 2025

18 remaining items

encukou
added 2 commits that reference this issue on Mar 18, 2025

gh-131261: expat/refresh.sh: Expand list of manual steps (GH-131359)

51d3099

[3.12] gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (GH-131361)

38ef8d7
gpshead

gpshead commented on Mar 18, 2025

@gpshead
gpshead
on Mar 18, 2025
Member

For those watching: chatting with @sethmlarson, we decided this one is not worth expedited security releases on. this should land in our next regularly scheduled releases seen in https://peps.python.org/topic/release/.

hartwork

hartwork commented on Mar 18, 2025

@hartwork
hartwork
on Mar 18, 2025
ContributorAuthor

Thanks for updating and sharing that info! 👍

colesbury
added a commit that references this issue on Mar 20, 2025

pythongh-131261: expat/refresh.sh: Expand list of manual steps (pytho…

95fc905
hartwork
mentioned this on Mar 27, 2025
pablogsal
added a commit that references this issue on Apr 1, 2025

[3.10] gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (GH-131272) (

b22e607
ambv
added 2 commits that reference this issue on Apr 3, 2025

[3.11] gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (GH-131272) (

ba49eab

[3.9] gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (GH-131272) (

8ad2d88
hugovk

hugovk commented on Apr 7, 2025

@hugovk
hugovk
on Apr 7, 2025
Member

2.7.0 is merged and backported, see #131809 / #132192 for 2.7.1.

hugovk
closed this as completedon Apr 7, 2025
github-project-automation
moved this from In Progress to Done in Release and Deferred blockers 🚫on Apr 7, 2025
sethmlarson
mentioned this on Apr 7, 2025
seehwan
added 2 commits that reference this issue on Apr 16, 2025

pythongh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (python#131272

9335e1c

pythongh-131261: expat/refresh.sh: Expand list of manual steps (pytho…

877149a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

3.10only security fixes3.11only security fixes3.12only security fixes3.13bugs and security fixes3.14bugs and security fixes3.9only security fixesextension-modulesC modules in the Modules dirrelease-blockertopic-XMLtype-securityA security issue

Projects

Release and Deferred blockers 🚫

Status

Done

Milestone

No milestone

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @gpshead@hugovk@hartwork@picnixz@sethmlarson

      Issue actions
        Please upgrade bundled Expat to 2.7.0 (e.g. for the fix to CVE-2024-8176) · Issue #131261 · python/cpython