Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176)#131272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
encukou merged 5 commits intopython:mainfromgpshead:security/3p/libexpat/1.7.0
Mar 17, 2025

Conversation

gpshead
Copy link
Member

@gpsheadgpshead commentedMar 15, 2025
edited by bedevere-appbot
Loading

A straightforward upgrade from expat 2.6.4 to 2.7.0. See the issue.

@gpsheadgpshead added the type-securityA security issue labelMar 15, 2025
@gpsheadgpshead added needs backport to 3.9only security fixes needs backport to 3.10only security fixes needs backport to 3.11only security fixes needs backport to 3.12only security fixes needs backport to 3.13bugs and security fixes release-blocker labelsMar 15, 2025
@gpsheadgpshead changed the titlegh-131261: Update the libexpat to 2.7.0 (CVE-2024-8176)gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176)Mar 15, 2025
@gpsheadgpshead added the 🔨 test-with-buildbotsTest PR w/ buildbots; report in status section labelMar 15, 2025
@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by@gpshead for commit9b00232 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F131272%2Fmerge

If you want to schedule another build, you need to add the🔨 test-with-buildbots label again.

@bedevere-botbedevere-bot removed the 🔨 test-with-buildbotsTest PR w/ buildbots; report in status section labelMar 15, 2025
@gpsheadgpshead requested a review fromencukouMarch 15, 2025 18:13
@@ -0,0 +1 @@
Upgrade to libexpat 2.7.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Should this mention the CVE?

sethmlarson reacted with thumbs up emoji
Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

the previous 2.6.3 update didn't so I didn't here, but maybe? no strong opinion myself.

zware reacted with thumbs up emoji
Copy link
Contributor

@sethmlarsonsethmlarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

LGTM, I don't think it's necessary to mention the CVE in the changelog as the component is recorded in an SBOM.

Copy link
Member

@encukouencukou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I confirm that the patch matches 2.7.0.

I didn't review the patch itself; I'd probably need days to grok the code.

@encukouencukou merged commitbb0268f intopython:mainMar 17, 2025
123 checks passed
@miss-islington-app
Copy link

Thanks@gpshead for the PR, and@encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10, 3.11, 3.12, 3.13.
🐍🍒⛏🤖

@miss-islington-app
Copy link

Sorry,@gpshead and@encukou, I could not cleanly backport this to3.13 due to a conflict.
Please backport usingcherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.13

@miss-islington-app
Copy link

Sorry,@gpshead and@encukou, I could not cleanly backport this to3.12 due to a conflict.
Please backport usingcherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.12

@miss-islington-app
Copy link

Sorry,@gpshead and@encukou, I could not cleanly backport this to3.11 due to a conflict.
Please backport usingcherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.11

@miss-islington-app
Copy link

Sorry,@gpshead and@encukou, I could not cleanly backport this to3.10 due to a conflict.
Please backport usingcherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.10

@miss-islington-app
Copy link

Sorry,@gpshead and@encukou, I could not cleanly backport this to3.9 due to a conflict.
Please backport usingcherry_picker on command line.

cherry_picker bb0268f60dfe903a9bdb8d84104247a9318c6b18 3.9

@encukou
Copy link
Member

I'm backporting.

@bedevere-app
Copy link

GH-131360 is a backport of this pull request to the3.13 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.13bugs and security fixes labelMar 17, 2025
encukou pushed a commit to encukou/cpython that referenced this pull requestMar 17, 2025
…honGH-131272)(cherry picked from commitbb0268f)Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app
Copy link

GH-131362 is a backport of this pull request to the3.11 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.11only security fixes labelMar 17, 2025
@bedevere-app
Copy link

GH-131363 is a backport of this pull request to the3.10 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.10only security fixes labelMar 17, 2025
@bedevere-app
Copy link

GH-131364 is a backport of this pull request to the3.9 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.9only security fixes labelMar 17, 2025
plashchynski pushed a commit to plashchynski/cpython that referenced this pull requestMar 17, 2025
ambv pushed a commit that referenced this pull requestApr 3, 2025
GH-131362)(cherry picked from commitbb0268f)(cherry picked from commit6af54d2)Co-authored-by: Petr Viktorin <encukou@gmail.com>Co-authored-by: Gregory P. Smith <greg@krypto.org>
ambv pushed a commit that referenced this pull requestApr 3, 2025
…GH-131364)(cherry picked from commitbb0268f)(cherry picked from commit6af54d2)Co-authored-by: Petr Viktorin <encukou@gmail.com>Co-authored-by: Gregory P. Smith <greg@krypto.org>
@hugovkhugovk removed the needs backport to 3.12only security fixes labelApr 8, 2025
seehwan pushed a commit to seehwan/cpython that referenced this pull requestApr 16, 2025
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@encukouencukouencukou approved these changes

@zwarezwarezware approved these changes

@sethmlarsonsethmlarsonsethmlarson approved these changes

Assignees

@encukouencukou

Labels
Projects
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

6 participants
@gpshead@bedevere-bot@encukou@zware@sethmlarson@hugovk
[8]ページ先頭
©2009-2025 Movatter.jp