Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) #131272

Merged
merged 5 commits into from
Mar 17, 2025
Merged

gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) #131272

merged 5 commits into from
Mar 17, 2025
+432 −167

Conversation

gpshead
Copy link
Member

@gpshead gpshead commented Mar 15, 2025
edited by bedevere-app bot
Loading

A straightforward upgrade from expat 2.6.4 to 2.7.0. See the issue.

@gpshead gpshead added the type-security A security issue label Mar 15, 2025
@gpshead gpshead requested a review from sethmlarson March 15, 2025 06:30
@bedevere-app bedevere-app bot mentioned this pull request Mar 15, 2025
Open
@gpshead gpshead added needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 bug and security fixes needs backport to 3.13 bugs and security fixes release-blocker labels Mar 15, 2025
@gpshead gpshead changed the title gh-131261: Update the libexpat to 2.7.0 (CVE-2024-8176) gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) Mar 15, 2025
@gpshead gpshead added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Mar 15, 2025
@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @gpshead for commit 9b00232 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F131272%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Mar 15, 2025
@gpshead gpshead requested a review from encukou March 15, 2025 18:13
zware
zware approved these changes Mar 15, 2025
View reviewed changes
Misc/NEWS.d/next/Security/2025-03-14-23-28-39.gh-issue-131261.0aB6nM.rst
@@ -0,0 +1 @@
Upgrade to libexpat 2.7.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this mention the CVE?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the previous 2.6.3 update didn't so I didn't here, but maybe? no strong opinion myself.

sethmlarson
sethmlarson approved these changes Mar 17, 2025
View reviewed changes
Copy link
Contributor

@sethmlarson sethmlarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I don't think it's necessary to mention the CVE in the changelog as the component is recorded in an SBOM.

encukou
encukou approved these changes Mar 17, 2025
View reviewed changes
Copy link
Member

@encukou encukou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I confirm that the patch matches 2.7.0.

I didn't review the patch itself; I'd probably need days to grok the code.

@encukou encukou merged commit bb0268f into python:main Mar 17, 2025
123 checks passed
@miss-islington-app
Copy link

Thanks @gpshead for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10, 3.11, 3.12, 3.13.
🐍🍒⛏🤖

@miss-islington-app
Copy link

Sorry, @gpshead and @encukou, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.13

@miss-islington-app miss-islington-app bot assigned encukou and unassigned gpshead and sethmlarson Mar 17, 2025
@miss-islington-app
Copy link

Sorry, @gpshead and @encukou, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.12

@miss-islington-app
Copy link

Sorry, @gpshead and @encukou, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.11

@miss-islington-app
Copy link

Sorry, @gpshead and @encukou, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.10

@miss-islington-app
Copy link

Sorry, @gpshead and @encukou, I could not cleanly backport this to 3.9 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.9

@encukou
Copy link
Member

encukou commented Mar 17, 2025

I'm backporting.

@bedevere-app
Copy link

bedevere-app bot commented Mar 17, 2025

GH-131360 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Mar 17, 2025
encukou pushed a commit to encukou/cpython that referenced this pull request Mar 17, 2025
@gpshead @encukou
[3.13] pythongh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (pyt…
4b0d55d 
…honGH-131272)

(cherry picked from commit bb0268f)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app
Copy link

bedevere-app bot commented Mar 17, 2025

GH-131362 is a backport of this pull request to the 3.11 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.11 only security fixes label Mar 17, 2025
@bedevere-app
Copy link

bedevere-app bot commented Mar 17, 2025

GH-131363 is a backport of this pull request to the 3.10 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.10 only security fixes label Mar 17, 2025
@bedevere-app
Copy link

bedevere-app bot commented Mar 17, 2025

GH-131364 is a backport of this pull request to the 3.9 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.9 only security fixes label Mar 17, 2025
plashchynski pushed a commit to plashchynski/cpython that referenced this pull request Mar 17, 2025
@gpshead @plashchynski
pythongh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (python#131272
47057de 
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@encukou encukou encukou approved these changes

@zware zware zware approved these changes

@sethmlarson sethmlarson sethmlarson approved these changes

Assignees

@encukou encukou

Labels
needs backport to 3.12 bug and security fixes release-blocker type-security A security issue
Projects
Release and Deferred blockers 🚫
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@gpshead @bedevere-bot @encukou @zware @sethmlarson