gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) by gpshead · Pull Request #131272 · python/cpython

gpshead · 2025-03-15T06:30:53Z

A straightforward upgrade from expat 2.6.4 to 2.7.0. See the issue.

Issue: Please upgrade bundled Expat to 2.7.0 (e.g. for the fix to CVE-2024-8176) #131261

bedevere-bot · 2025-03-15T07:01:24Z

🤖 New build scheduled with the buildbot fleet by @gpshead for commit 9b00232 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F131272%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

zware · 2025-03-15T20:20:11Z

Misc/NEWS.d/next/Security/2025-03-14-23-28-39.gh-issue-131261.0aB6nM.rst

@@ -0,0 +1 @@
+Upgrade to libexpat 2.7.0


Should this mention the CVE?

the previous 2.6.3 update didn't so I didn't here, but maybe? no strong opinion myself.

sethmlarson

LGTM, I don't think it's necessary to mention the CVE in the changelog as the component is recorded in an SBOM.

encukou

I confirm that the patch matches 2.7.0.

I didn't review the patch itself; I'd probably need days to grok the code.

miss-islington-app · 2025-03-17T13:55:11Z

Thanks @gpshead for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10, 3.11, 3.12, 3.13.
🐍🍒⛏🤖

miss-islington-app · 2025-03-17T13:55:14Z

Sorry, @gpshead and @encukou, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.13

miss-islington-app · 2025-03-17T13:55:18Z

Sorry, @gpshead and @encukou, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.12

miss-islington-app · 2025-03-17T13:55:22Z

Sorry, @gpshead and @encukou, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.11

miss-islington-app · 2025-03-17T13:55:25Z

Sorry, @gpshead and @encukou, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.10

miss-islington-app · 2025-03-17T13:55:29Z

Sorry, @gpshead and @encukou, I could not cleanly backport this to 3.9 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.9

encukou · 2025-03-17T13:59:17Z

I'm backporting.

bedevere-app · 2025-03-17T14:09:45Z

GH-131360 is a backport of this pull request to the 3.13 branch.

…honGH-131272) (cherry picked from commit bb0268f) Co-authored-by: Gregory P. Smith <greg@krypto.org>

bedevere-app · 2025-03-17T15:07:03Z

GH-131362 is a backport of this pull request to the 3.11 branch.

bedevere-app · 2025-03-17T15:07:06Z

GH-131363 is a backport of this pull request to the 3.10 branch.

bedevere-app · 2025-03-17T15:07:23Z

GH-131364 is a backport of this pull request to the 3.9 branch.

)

#131363)

GH-131362) (cherry picked from commit bb0268f) (cherry picked from commit 6af54d2) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

…GH-131364) (cherry picked from commit bb0268f) (cherry picked from commit 6af54d2) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

gpshead added 3 commits March 14, 2025 23:23

Update expat refresh script to 2.7.0.

eed9d8a

Upgrade to expat 2.7.0.

fb387c8

NEWS blurb

9a7a567

gpshead added the type-security A security issue label Mar 15, 2025

gpshead requested a review from sethmlarson March 15, 2025 06:30

bedevere-app bot added the awaiting core review label Mar 15, 2025

bedevere-app bot mentioned this pull request Mar 15, 2025

Please upgrade bundled Expat to 2.7.0 (e.g. for the fix to CVE-2024-8176) #131261

Closed

gpshead added needs backport to 3.9 needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes release-blocker labels Mar 15, 2025

github-project-automation bot added this to Release and Deferred blockers 🚫 Mar 15, 2025

github-project-automation bot moved this to Todo in Release and Deferred blockers 🚫 Mar 15, 2025

gpshead changed the title ~~gh-131261: Update the libexpat to 2.7.0 (CVE-2024-8176)~~ gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) Mar 15, 2025

gpshead added 2 commits March 14, 2025 23:35

make regen-sbom

faa9f45

update the count of expected warnings in xmlparse on macOS

9b00232

gpshead added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Mar 15, 2025

bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Mar 15, 2025

gpshead assigned gpshead and sethmlarson Mar 15, 2025

gpshead requested a review from encukou March 15, 2025 18:13

zware approved these changes Mar 15, 2025

View reviewed changes

bedevere-app bot added awaiting merge and removed awaiting core review labels Mar 15, 2025

sethmlarson approved these changes Mar 17, 2025

View reviewed changes

encukou approved these changes Mar 17, 2025

View reviewed changes

encukou merged commit bb0268f into python:main Mar 17, 2025
123 checks passed

github-project-automation bot moved this from Todo to Done in Release and Deferred blockers 🚫 Mar 17, 2025

bedevere-app bot removed the awaiting merge label Mar 17, 2025

miss-islington-app bot assigned encukou and unassigned gpshead and sethmlarson Mar 17, 2025

bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Mar 17, 2025

encukou pushed a commit to encukou/cpython that referenced this pull request Mar 17, 2025

[3.13] pythongh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (pyt…

4b0d55d

…honGH-131272) (cherry picked from commit bb0268f) Co-authored-by: Gregory P. Smith <greg@krypto.org>

bedevere-app bot removed the needs backport to 3.11 only security fixes label Mar 17, 2025

bedevere-app bot removed the needs backport to 3.10 only security fixes label Mar 17, 2025

bedevere-app bot removed the needs backport to 3.9 label Mar 17, 2025

plashchynski pushed a commit to plashchynski/cpython that referenced this pull request Mar 17, 2025

pythongh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (python#131272

47057de

)

hartwork mentioned this pull request Mar 27, 2025

Please upgrade bundled Expat to 2.7.1 #131809

Closed

pablogsal pushed a commit that referenced this pull request Apr 1, 2025

[3.10] gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (GH-131272) (

b22e607

#131363)

hugovk removed the needs backport to 3.12 only security fixes label Apr 8, 2025

Uh oh!

Conversation

gpshead commented Mar 15, 2025 • edited by bedevere-app bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bedevere-bot commented Mar 15, 2025

Uh oh!

zware Mar 15, 2025

Choose a reason for hiding this comment

Uh oh!

gpshead Mar 17, 2025

Choose a reason for hiding this comment

Uh oh!

sethmlarson left a comment

Choose a reason for hiding this comment

Uh oh!

encukou left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

miss-islington-app bot commented Mar 17, 2025

Uh oh!

miss-islington-app bot commented Mar 17, 2025

Uh oh!

miss-islington-app bot commented Mar 17, 2025

Uh oh!

miss-islington-app bot commented Mar 17, 2025

Uh oh!

miss-islington-app bot commented Mar 17, 2025

Uh oh!

miss-islington-app bot commented Mar 17, 2025

Uh oh!

encukou commented Mar 17, 2025

Uh oh!

bedevere-app bot commented Mar 17, 2025

Uh oh!

bedevere-app bot commented Mar 17, 2025

Uh oh!

bedevere-app bot commented Mar 17, 2025

Uh oh!

bedevere-app bot commented Mar 17, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

gpshead commented Mar 15, 2025 •

edited by bedevere-app bot

Loading