Hi All, we are using the python 3.9.5 version in our application. In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, it is showing critical vulnerabilities in libexpat 2.2.8. (CVE-2022-22824 CVE-2022-23990 CVE-2022-23852 CVE-2022-25236 CVE-2022-22823) when there are any issues ( security issues ) in external modules like OpenSSL, bzip2, and zlib we were able to get the latest code and build as it is straightforward, but libexpat is an internal module to the python and we don't see how we can upgrade libexpat alone in python 3.9.5 So is there a way we can build python (ex 3.9.5) which is already carrying libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - fixed security issues). Another solution when we searched over the net and from the mails what we came to know is we need to wait for Python 3.9.11 where this will be linked to libexpat 2.4.6. Any inputs on this will be helpful. Thanks, Raghu Internal Use - Confidential
Are you asking how to link python to an external libexpat instead of the vendored expat inside python? Have you tried deleting libexpat 2.2.8 from the python source code and replacing with the libexpat 2.4.6 and then compiling python? Are you concerned that you need fixes in the python code to support the 2.4 version? Barry
Hi Scott, Thanks for the reply Are you asking how to link python to an external libexpat instead of the vendor expat inside python?
yes, we have done for some of the external libs like OpenSSL, bzip2 but libexpat was an internal module to python so how to link to the latest expat lib/code without changing the python version was our doubt.
Have you tried deleting libexpat 2.2.8 from the python source code and replacing it with the libexpat 2.4.6 and then compiling python?
No, do you mean hear removing the files ( python\Modules\expat ) folder and replacing the new files from libexpat 2.4.6. we didn't do that We didn't know whether that is the right way of doing it and if there are any incompatibilities to the python version (3.9.5)
Are you concerned that you need fixes in the python code to support the 2.4 version?
Yes our application is running with python 3.9.5 and it internal contains libexpat 2.2.8 that has security vulnerabilities One way is to upgrade the python to the latest version where the libexpat issues are fixed ( maybe 3.9.11).
What is the best approach so that there will be no major issues. Thanks, Raghu Internal Use - Confidential From: Barry Scott <barry@barrys-emacs.org> Sent: Saturday, February 26, 2022 3:08 AM To: Prasad, PCRaghavendra Cc: Python-Dev@python.org Subject: Re: [Python-Dev] Need Help [EXTERNAL EMAIL] On 25 Feb 2022, at 12:58, Prasad, PCRaghavendra <Pcraghavendra.Prasad@dell.com<mailto:Pcraghavendra.Prasad@dell.com>> wrote: Hi All, we are using the python 3.9.5 version in our application. In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, it is showing critical vulnerabilities in libexpat 2.2.8. (CVE-2022-22824 CVE-2022-23990 CVE-2022-23852 CVE-2022-25236 CVE-2022-22823) when there are any issues ( security issues ) in external modules like OpenSSL, bzip2, and zlib we were able to get the latest code and build as it is straightforward, but libexpat is an internal module to the python and we don't see how we can upgrade libexpat alone in python 3.9.5 So is there a way we can build python (ex 3.9.5) which is already carrying libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - fixed security issues). Another solution when we searched over the net and from the mails what we came to know is we need to wait for Python 3.9.11 where this will be linked to libexpat 2.4.6. Any inputs on this will be helpful. Are you asking how to link python to an external libexpat instead of the vendored expat inside python? Have you tried deleting libexpat 2.2.8 from the python source code and replacing with the libexpat 2.4.6 and then compiling python? Are you concerned that you need fixes in the python code to support the 2.4 version? Barry Thanks, Raghu Internal Use - Confidential _______________________________________________ Python-Dev mailing list -- python-dev@python.org<mailto:python-dev@python.org> To unsubscribe send an email to python-dev-leave@python.org<mailto:python-dev-leave@python.org> https://mail.python.org/mailman3/lists/python-dev.python.org/ [mail.python.org]<https://urldefense.com/v3/__https:/mail.python.org/mailman3/lists/python-dev...> Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQV... [mail.python.org]<https://urldefense.com/v3/__https:/mail.python.org/archives/list/python-dev@...> Code of Conduct: http://python.org/psf/codeofconduct/ [python.org]<https://urldefense.com/v3/__http:/python.org/psf/codeofconduct/__;!!LpKI!yHN...>
Scott is my family name.
If I was doing this I would replace the libexpat code inside the python tree then compile python and see if that works without error. Take that python version and run the python test suite against it. If that passes then I would run my application’s test suite to ensure no regressions. Barry
The embedded copy of expat was recently upgraded to 2.4.6 in https://bugs.python.org/issue46794 including on the 3.9 branch. That will wind up in 3.9.11 per https://www.python.org/dev/peps/pep-0596/. If you are using 3.9.5 you may also have a host of other potential security issues that updating to a recent 3.9.x will address. If you are using 3.9.5 as provided by a Linux or similar OS distribution, I'd expect the OS distro packager to be applying relevant patches to it themselves (some distros link to their own managed libexpat instead of using the embedded version) even if they don't change the version number. -gps On Fri, Feb 25, 2022 at 11:43 AM Prasad, PCRaghavendra < Pcraghavendra.Prasad@dell.com> wrote:
Are you asking how to link python to an external libexpat instead of the vendored expat inside python? Have you tried deleting libexpat 2.2.8 from the python source code and replacing with the libexpat 2.4.6 and then compiling python? Are you concerned that you need fixes in the python code to support the 2.4 version? Barry
Hi Scott, Thanks for the reply Are you asking how to link python to an external libexpat instead of the vendor expat inside python?
yes, we have done for some of the external libs like OpenSSL, bzip2 but libexpat was an internal module to python so how to link to the latest expat lib/code without changing the python version was our doubt.
Have you tried deleting libexpat 2.2.8 from the python source code and replacing it with the libexpat 2.4.6 and then compiling python?
No, do you mean hear removing the files ( python\Modules\expat ) folder and replacing the new files from libexpat 2.4.6. we didn't do that We didn't know whether that is the right way of doing it and if there are any incompatibilities to the python version (3.9.5)
Are you concerned that you need fixes in the python code to support the 2.4 version?
Yes our application is running with python 3.9.5 and it internal contains libexpat 2.2.8 that has security vulnerabilities One way is to upgrade the python to the latest version where the libexpat issues are fixed ( maybe 3.9.11).
What is the best approach so that there will be no major issues. Thanks, Raghu Internal Use - Confidential From: Barry Scott <barry@barrys-emacs.org> Sent: Saturday, February 26, 2022 3:08 AM To: Prasad, PCRaghavendra Cc: Python-Dev@python.org Subject: Re: [Python-Dev] Need Help [EXTERNAL EMAIL] On 25 Feb 2022, at 12:58, Prasad, PCRaghavendra <Pcraghavendra.Prasad@dell.com<mailto:Pcraghavendra.Prasad@dell.com>> wrote: Hi All, we are using the python 3.9.5 version in our application. In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, it is showing critical vulnerabilities in libexpat 2.2.8. (CVE-2022-22824 CVE-2022-23990 CVE-2022-23852 CVE-2022-25236 CVE-2022-22823) when there are any issues ( security issues ) in external modules like OpenSSL, bzip2, and zlib we were able to get the latest code and build as it is straightforward, but libexpat is an internal module to the python and we don't see how we can upgrade libexpat alone in python 3.9.5 So is there a way we can build python (ex 3.9.5) which is already carrying libexpat 2.2.8 so that it will link to the latest libexpat version (2.4.6 - fixed security issues). Another solution when we searched over the net and from the mails what we came to know is we need to wait for Python 3.9.11 where this will be linked to libexpat 2.4.6. Any inputs on this will be helpful. Are you asking how to link python to an external libexpat instead of the vendored expat inside python? Have you tried deleting libexpat 2.2.8 from the python source code and replacing with the libexpat 2.4.6 and then compiling python? Are you concerned that you need fixes in the python code to support the 2.4 version? Barry Thanks, Raghu Internal Use - Confidential _______________________________________________ Python-Dev mailing list -- python-dev@python.org<mailto:python-dev@python.org> To unsubscribe send an email to python-dev-leave@python.org<mailto:python-dev-leave@python.org> https://mail.python.org/mailman3/lists/python-dev.python.org/ [mail.python.org]<https://urldefense.com/v3/__https:/mail.python.org/mailman3/lists/python-dev...> Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/2JHZTKQV... [mail.python.org]<https://urldefense.com/v3/__https:/mail.python.org/archives/list/python-dev@...> Code of Conduct: http://python.org/psf/codeofconduct/ [python.org]<https://urldefense.com/v3/__http:/python.org/psf/codeofconduct/__;!!LpKI!yHN...>
Scott is my family name.
If I was doing this I would replace the libexpat code inside the python tree then compile python and see if that works without error. Take that python version and run the python test suite against it. If that passes then I would run my application’s test suite to ensure no regressions. Barry
The embedded copy of expat was recently upgraded to 2.4.6 in https://bugs.python.org/issue46794 including on the 3.9 branch. That will wind up in 3.9.11 per https://www.python.org/dev/peps/pep-0596/. If you are using 3.9.5 you may also have a host of other potential security issues that updating to a recent 3.9.x will address. If you are using 3.9.5 as provided by a Linux or similar OS distribution, I'd expect the OS distro packager to be applying relevant patches to it themselves (some distros link to their own managed libexpat instead of using the embedded version) even if they don't change the version number. -gps On Fri, Feb 25, 2022 at 11:43 AM Prasad, PCRaghavendra < Pcraghavendra.Prasad@dell.com> wrote:
participants (4)
-
Barry -
Barry Scott
-
Gregory P. Smith -
Prasad, PCRaghavendra