bpo-30694: Upgrade Modules/expat/ to libexpat 2.2.1 (#2300)

New file: Modules/expat/siphash.h.
author: Victor Stinner <victor.stinner@gmail.com> 2017-06-21 12:39:22 (GMT)
committer: GitHub <noreply@github.com> 2017-06-21 12:39:22 (GMT)
commit: 5ff7132313eb651107b179d20218dfe5d4e47f13 (patch)
tree: c75f190454b750d8b03fdf05d5ed5c0d621e499d /Misc/NEWS
parent: f3e8209152dffd201620c5b5936946a9250ac359 (diff)
download: cpython-5ff7132313eb651107b179d20218dfe5d4e47f13.zip
cpython-5ff7132313eb651107b179d20218dfe5d4e47f13.tar.gz
cpython-5ff7132313eb651107b179d20218dfe5d4e47f13.tar.bz2
1 files changed, 9 insertions, 0 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index 88b1e3e..f8833aa 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -368,6 +368,15 @@ Extension Modules
 Library
 -------
 
+- [Security] bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes
+  of multiple security vulnerabilities including: CVE-2017-9233 (External
+  entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix),
+  CVE-2016-0718 (Fix regression bugs from 2.2.0's fix to CVE-2016-0718)
+  and CVE-2012-0876 (Counter hash flooding with SipHash).
+  Note: the CVE-2016-5300 (Use os-specific entropy sources like getrandom)
+  doesn't impact Python, since Python already gets entropy from the OS to set
+  the expat secret using ``XML_SetHashSalt()``.
+
 - bpo-29755: Fixed the lgettext() family of functions in the gettext module.
   They now always return bytes.
author	Victor Stinner <victor.stinner@gmail.com>	2017-06-21 12:39:22 (GMT)
committer	GitHub <noreply@github.com>	2017-06-21 12:39:22 (GMT)
commit	5ff7132313eb651107b179d20218dfe5d4e47f13 (patch)
tree	c75f190454b750d8b03fdf05d5ed5c0d621e499d /Misc/NEWS
parent	f3e8209152dffd201620c5b5936946a9250ac359 (diff)
download	cpython-5ff7132313eb651107b179d20218dfe5d4e47f13.zip cpython-5ff7132313eb651107b179d20218dfe5d4e47f13.tar.gz cpython-5ff7132313eb651107b179d20218dfe5d4e47f13.tar.bz2