GNU bug report logs - #32957
Python uses a bundled expat

Previous Next

Package: guix;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Sat, 6 Oct 2018 14:59:01 UTC

Severity: important

Tags: security

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

Message #12 received at 32957 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 32957 <at> debbugs.gnu.org
Subject: Re: bug#32957: Python uses a bundled expat
Date: Wed, 10 Oct 2018 15:27:14 -0400

[Message part 1 (text/plain, inline)]

On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
> Python 2 and 3 are using a bundled Expat (residing under Modules/).
> 
> This has been the cause of security vulnerabilities in the past and
> should be changed to use Expat from Guix.

Looks like Debian uses an external Expat to fill the dependency, so it
should be possible:

https://packages.debian.org/stretch/python3.5-minimal

We should look into the difference between the bundled Expat and
upstream Expat.

[signature.asc (application/pgp-signature, inline)]

This bug report was last modified 6 years and 62 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #32957 Python uses a bundled expat

GNU bug report logs - #32957
Python uses a bundled expat