bpo-30694: Upgrade Modules/expat/ to libexpat 2.2.1 (#2300) (#2313)

New file: Modules/expat/siphash.h. (cherry picked from commit 5ff7132313eb651107b179d20218dfe5d4e47f13)
author: Victor Stinner <victor.stinner@gmail.com> 2017-06-21 14:05:11 (GMT)
committer: GitHub <noreply@github.com> 2017-06-21 14:05:11 (GMT)
commit: 4a66524006852fc982aebafa277f2c043d9ad149 (patch)
tree: e2a55cb9ece8f45d95ec3025735df91ee1eb73ff /Misc
parent: a1115e1a0454f0548f96cace6ee97b286dfa1c0d (diff)
download: cpython-4a66524006852fc982aebafa277f2c043d9ad149.zip
cpython-4a66524006852fc982aebafa277f2c043d9ad149.tar.gz
cpython-4a66524006852fc982aebafa277f2c043d9ad149.tar.bz2
1 files changed, 9 insertions, 0 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index d2bdd1e..70a531c 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,15 @@ Core and Builtins
 Library
 -------
 
+- [Security] bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes
+  of multiple security vulnerabilities including: CVE-2017-9233 (External
+  entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix),
+  CVE-2016-0718 (Fix regression bugs from 2.2.0's fix to CVE-2016-0718)
+  and CVE-2012-0876 (Counter hash flooding with SipHash).
+  Note: the CVE-2016-5300 (Use os-specific entropy sources like getrandom)
+  doesn't impact Python, since Python already gets entropy from the OS to set
+  the expat secret using ``XML_SetHashSalt()``.
+
 - bpo-29755: Fixed the lgettext() family of functions in the gettext module.
   They now always return bytes.
author	Victor Stinner <victor.stinner@gmail.com>	2017-06-21 14:05:11 (GMT)
committer	GitHub <noreply@github.com>	2017-06-21 14:05:11 (GMT)
commit	4a66524006852fc982aebafa277f2c043d9ad149 (patch)
tree	e2a55cb9ece8f45d95ec3025735df91ee1eb73ff /Misc
parent	a1115e1a0454f0548f96cace6ee97b286dfa1c0d (diff)
download	cpython-4a66524006852fc982aebafa277f2c043d9ad149.zip cpython-4a66524006852fc982aebafa277f2c043d9ad149.tar.gz cpython-4a66524006852fc982aebafa277f2c043d9ad149.tar.bz2