GNU bug report logs - #32957
Python uses a bundled expat

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Severity: important; Reported by: Marius Bakke <mbakke@HIDDEN>; Keywords: security; dated Sat, 6 Oct 2018 14:59:01 UTC; Maintainer for guix is bug-guix@HIDDEN.
Severity set to 'important' from 'normal' Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.
Added tag(s) security. Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 6 Oct 2018 14:58:33 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 06 10:58:33 2018
Received: from localhost ([127.0.0.1]:38755 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1g8o2L-0005Jj-I6
	for submit <at> debbugs.gnu.org; Sat, 06 Oct 2018 10:58:33 -0400
Received: from eggs.gnu.org ([208.118.235.92]:39926)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@HIDDEN>) id 1g8o2J-0005JU-2o
 for submit <at> debbugs.gnu.org; Sat, 06 Oct 2018 10:58:31 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mbakke@HIDDEN>) id 1g8o2C-0002AP-UO
 for submit <at> debbugs.gnu.org; Sat, 06 Oct 2018 10:58:25 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:49636)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mbakke@HIDDEN>) id 1g8o2C-00029Y-5B
 for submit <at> debbugs.gnu.org; Sat, 06 Oct 2018 10:58:24 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49510)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mbakke@HIDDEN>) id 1g8o2B-0007uJ-Fv
 for bug-guix@HIDDEN; Sat, 06 Oct 2018 10:58:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mbakke@HIDDEN>) id 1g8o27-00026X-4s
 for bug-guix@HIDDEN; Sat, 06 Oct 2018 10:58:22 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:56795)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mbakke@HIDDEN>) id 1g8o26-00024z-0J
 for bug-guix@HIDDEN; Sat, 06 Oct 2018 10:58:18 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id E01D821175
 for <bug-guix@HIDDEN>; Sat,  6 Oct 2018 10:58:15 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute5.internal (MEProxy); Sat, 06 Oct 2018 10:58:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 from:to:subject:date:message-id:mime-version:content-type; s=
 fm1; bh=ZqEcX46pMlbNfVJhtip8n7/q2hqLWq9pbQPHYTZMfpw=; b=BGeoMd6z
 EMF91dhURrb/xFxFRikDxJwqCNpuS8E0MT6dUS4h3DkEGzDx1HvTMsFTQK5FW3zh
 HFQBTcKpbE9mXbWQoJTwrMaOIHBgRbdJfbnjt6Pe8MakNIzx8oAo59TOw01hZFw6
 NUelrlOj/0I/vCB8ft4/LA9eXYg+Xrnt/PuI9rtqSY4tMtAaf3lGGEkF+7N0IgQT
 1nSaZuDduvWyVJ11FB6fGuX4vWW7nBlq2aMvEzwN3BEdukCZ1VUbPFcI37bhRkP9
 /ZID4/E2Txwb35xsYY4Ss7AEsRxug18U28tIpzplG1G9frkc5rnMei2GXqzFSprH
 6dt7GEx5gVZGmg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm3; bh=ZqEcX46pMlbNfVJhtip8n7/q2hqLW
 q9pbQPHYTZMfpw=; b=atjxAuC2KRAFgRcFV+dbV7wSacdJ9xvPPerxQ7xmTyygW
 6wW+u5xZVjaFFzAsH0TmP5mk8yXAElhlhQFyBfhd1nBk7gv7K8PojP6EmBbwL3VM
 c0nI2DvnPwj+Ga1gRAFnr6hhWx/RnbsYPip+qn3peYFIKfuWDg8X6xR2PQupbO/z
 0cKVL1mvOHEhrlEL0xHdw5TsZOs87oVG5TVP0vSWEJcudLTwuHc2uurZ8R4GD9Xk
 ga7gFpUEjJ3JfsAR/x41+mu2BdDwiehJ5zg+kPO2VbFxoG/fJTIH0c7rdPEUFT1l
 0R0Ky7QWhqCUJibgIo6RYZCacCjLHR1MfkmeT4NBw==
X-ME-Sender: <xms:h824W4w2g-r11IMHuaz0zI1UOR5k7vJXabceA1HWawnX5hovLZFaTA>
X-ME-Proxy: <xmx:h824W0B0oIDakyVrWkx1CFfqQiICictDZufswx3MLeB7AU_LHmstXQ>
 <xmx:h824Ww9OA8tzLs_wxFbXK22UjSeItyosrz42pZ_X9PmRU9-MFtCzeQ>
 <xmx:h824W4DkhoE4fh53Je2B670CKOD-HGtj9Lj3MnDTnHx45EnYCMm3Wg>
 <xmx:h824W88EAzJr8t1qQxkEVhXHt1XrAIMnhyZHc4bhJClNeeTeUoq-Rw>
 <xmx:h824W7zLExKDHd8fN6Fue4aBp8CokA_druD_du4jh9p7cz5Oa9zmAg>
 <xmx:h824W1YksQ6YAxGFHqPtOjgU-HcgetAwIkEwJb01PYtzTjux5QoXVg>
Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140])
 by mail.messagingengine.com (Postfix) with ESMTPA id 449AA102E8
 for <bug-guix@HIDDEN>; Sat,  6 Oct 2018 10:58:15 -0400 (EDT)
From: Marius Bakke <mbakke@HIDDEN>
To: bug-guix@HIDDEN
Subject: Python uses a bundled expat
User-Agent: Notmuch/0.27 (https://notmuchmail.org) Emacs/26.1
 (x86_64-pc-linux-gnu)
Date: Sat, 06 Oct 2018 16:58:13 +0200
Message-ID: <87o9c7i0l6.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.3 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.3 (-----)

--=-=-=
Content-Type: text/plain

Python 2 and 3 are using a bundled Expat (residing under Modules/).

This has been the cause of security vulnerabilities in the past and
should be changed to use Expat from Guix.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlu4zYUACgkQoqBt8qM6
VPo2UAgAzKQ8+SbMxzNFx4YEEOM/Mm0XKo+20DMBZHlqI+Gg0Q+9VVCNfwttbAzw
zdEYr5Zw5FEWIe30/97Dw0BdmaK+17rREcSrc6b4UZESgIPF9R1NHzcxwZWjRWj7
PuOI6pHdADHzraMN1afgyGg2jVVc8zPmLCimNcHUpJIvJH+kFVPauEetl/ONcC7G
mOtNL1d3pHmpSAgCEHQ+iC7KoPJDDJBM0aKLtDNTYK69VaOY8L3K2b/5DgHW+jCE
RcA6tlE37Cjen+L64fPmvlMqPSD5GT5nAwn5/PwPaXWJG6FaVW5FVo6OGdn/EKI7
5kHqiuLZm2yr/fBY7xWlOhqPajHEyg==
=dmT8
-----END PGP SIGNATURE-----
--=-=-=--




Acknowledgement sent to Marius Bakke <mbakke@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#32957; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 8 Oct 2018 13:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.