Python versions with libexpat fixes

[raghupcr]

Hi Friends,

Anyone having information about the python versions in which the libexpat security issues are getting fixed

below is the bug id for the same

https://bugs.python.org/issue46794

we are using python 3.9.5 which carries libexpat 2.2.8, as this expat version is having critical vulnerabilites ( > 5) we need to upgrade this libexpat.

To do so we need to get the right python version which fixes this libexpat issue.

is there a way where only libexpat can be upgraded in the existing python version (3.9.5) just a doubt?

Thanks in advance

[DeaD_EyE]

To do so we need to get the right python version which fixes this libexpat issue.

The code has been pushed already, but there is currently no version bump of Python 3.7 - 3.11
You've to wait or compile it yourself. To compile it yourself, you require all build-dependencies.


You can grab a specific branch (Major.Minor) to get the newest changes.
Shortcut if all build-dependencies are fulfilled:

mkdir Python3.9

git clone --depth 1 -b 3.9 https://github.com/python/cpython.git
cd cpython
# show the version bump of expat
less -N +1042 Modules/expat/expat.h

# configure
./configure --prefix=ABSOLUTE_PATH_TO_PYTHON3.9_BUT_NOT_FOR_SYSTEM
make -j 8
make install

Then it's installed locally not as root in Python3.9.
To test the new compiled interpreter just run:

ABSOLUTE_PATH_TO_PYTHON3.9/bin/python3

Getting current used expat version:

from xml.parsers import expat


print(expat.version_info)

The last version was Python 3.9.9, so the new changes are for the future 3.9.10 and of course for all other branches.

[raghupcr]

Thanks a lot for the reply

so we need to wait for the newer version of 3.9

i think already 3.9.10 got released in jan
Python 3.9.10 final
Release date: 2022-01-13

so may be next version is 3.9.11?

Thanks

[Larz60+]

You may get an answer here, if anybody knows the answer, however we are not part of python.org,
the authors of main python releases. You should contact them.

This forum is not part of python.org.

[DeaD_EyE]

Yes, you're right. The latest Python bugfix release of 3.9 is currently 3.9.10.
The compiled version shows 3.9.10+. The + means 3.9.10 + all pending fixes for next release. I think Distributors like Debian release a fixed version. Maybe before even Python releases an official bugfix release. It depends on how bad the security risk is.

From PEP596 you can look up, when new bugfix releases are planned:

Expected:

3.9.11: Monday, 2022-03-14

I guess they do the bugfix release earlier.

For the record, the CVE's:

• https://cve.mitre.org/cgi-bin/cvename.cg...2022-25235
  
• https://cve.mitre.org/cgi-bin/cvename.cg...2022-25236
  
• https://cve.mitre.org/cgi-bin/cvename.cg...2022-25313
  
• https://cve.mitre.org/cgi-bin/cvename.cg...2022-25314
  
• https://cve.mitre.org/cgi-bin/cvename.cg...2022-25315
  

If you look for older releases, they all had security fixes: https://libexpat.github.io/

[raghupcr]

Thanks a lot for the detailed info Bishop :) :)