Leo Famulari <leo@famulari.name> writes:

> Our Python 3.6.5 package is vulnerable to CVE-2018-14647, fixed in
> CPython commit f7666e828cc3d5873136473ea36ba2013d624fa1, released in
> v3.6.7rc1:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647

Reading <https://bugs.python.org/issue34623>, this issue seems to only
affect older versions of Expat, or when using Pythons bundled one which
is compiled with -DXML_POOR_ENTROPY.

...unfortunately we seem to be using the bundled version :-(

This patch adds a graft for Python: