[3.6] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042) (GH-28080)

Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl>. (cherry picked from commit 3fc5d84046ddbd66abac5b598956ea34605a4e5d)
author: Ned Deily <nad@python.org> 2021-08-31 02:35:31 -0400
committer: GitHub <noreply@github.com> 2021-08-31 02:35:31 -0400
commit: 910886a6448e4bf1edf49eeace4aa240b6403772 (patch)
tree: f3907be2308011c3a9964bfc0c13ae8a5f4fe4eb /Doc
parent: 8934bb0c3179e4c020cd6f08dea64bccbf56ffa2 (diff)
download: cpython-git-910886a6448e4bf1edf49eeace4aa240b6403772.tar.gz
2 files changed, 20 insertions, 16 deletions
diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst
index 9b8ba6b17c..ac92a0d3a0 100644
--- a/Doc/library/xml.rst
+++ b/Doc/library/xml.rst
@@ -60,23 +60,27 @@ circumvent firewalls.
 The following table gives an overview of the known attacks and whether
 the various modules are vulnerable to them.
 
-=========================  ==============   ===============   ==============   ==============   ==============
-kind                       sax              etree             minidom          pulldom          xmlrpc
-=========================  ==============   ===============   ==============   ==============   ==============
-billion laughs             **Vulnerable**   **Vulnerable**    **Vulnerable**   **Vulnerable**   **Vulnerable**
-quadratic blowup           **Vulnerable**   **Vulnerable**    **Vulnerable**   **Vulnerable**   **Vulnerable**
-external entity expansion  Safe (4)         Safe    (1)       Safe    (2)      Safe (4)         Safe    (3)
-`DTD`_ retrieval           Safe (4)         Safe              Safe             Safe (4)         Safe
-decompression bomb         Safe             Safe              Safe             Safe             **Vulnerable**
-=========================  ==============   ===============   ==============   ==============   ==============
-
-1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a
+=========================  ==================  ==================  ==================  ==================  ==================
+kind                       sax                 etree               minidom             pulldom             xmlrpc
+=========================  ==================  ==================  ==================  ==================  ==================
+billion laughs             **Vulnerable** (1)  **Vulnerable** (1)  **Vulnerable** (1)  **Vulnerable** (1)  **Vulnerable** (1)
+quadratic blowup           **Vulnerable** (1)  **Vulnerable** (1)  **Vulnerable** (1)  **Vulnerable** (1)  **Vulnerable** (1)
+external entity expansion  Safe (5)            Safe (2)            Safe (3)            Safe (5)            Safe (4)
+`DTD`_ retrieval           Safe (5)            Safe                Safe                Safe (5)            Safe
+decompression bomb         Safe                Safe                Safe                Safe                **Vulnerable**
+=========================  ==================  ==================  ==================  ==================  ==================
+
+1. Expat 2.4.1 and newer is not vulnerable to the "billion laughs" and
+   "quadratic blowup" vulnerabilities. Items still listed as vulnerable due to
+   potential reliance on system-provided libraries. Check
+   :data:`pyexpat.EXPAT_VERSION`.
+2. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a
    :exc:`ParserError` when an entity occurs.
-2. :mod:`xml.dom.minidom` doesn't expand external entities and simply returns
+3. :mod:`xml.dom.minidom` doesn't expand external entities and simply returns
    the unexpanded entity verbatim.
-3. :mod:`xmlrpclib` doesn't expand external entities and omits them.
-4. Since Python 3.8.0, external general entities are no longer processed by
-   default since Python.
+4. :mod:`xmlrpclib` doesn't expand external entities and omits them.
+5. Since Python 3.6.7, external general entities are no longer processed by
+   default.
 
 
 billion laughs / exponential entity expansion
diff --git a/Doc/whatsnew/3.6.rst b/Doc/whatsnew/3.6.rst
index c14e790935..5f8f478eb3 100644
--- a/Doc/whatsnew/3.6.rst
+++ b/Doc/whatsnew/3.6.rst
@@ -2181,7 +2181,7 @@ Changes in the Python API
 
 * The functions in the :mod:`compileall` module now return booleans instead
   of ``1`` or ``0`` to represent success or failure, respectively. Thanks to
-  booleans being a subclass of integers, this should only be an issue if you7
+  booleans being a subclass of integers, this should only be an issue if you
   were doing identity checks for ``1`` or ``0``. See :issue:`25768`.
 
 * Reading the :attr:`~urllib.parse.SplitResult.port` attribute of
author	Ned Deily <nad@python.org>	2021-08-31 02:35:31 -0400
committer	GitHub <noreply@github.com>	2021-08-31 02:35:31 -0400
commit	910886a6448e4bf1edf49eeace4aa240b6403772 (patch)
tree	f3907be2308011c3a9964bfc0c13ae8a5f4fe4eb /Doc
parent	8934bb0c3179e4c020cd6f08dea64bccbf56ffa2 (diff)
download	cpython-git-910886a6448e4bf1edf49eeace4aa240b6403772.tar.gz