[security] Please upgrade bundled Expat to 2.7.4 (e.g. for the fixes to CVE-2026-24515 and CVE-2026-25210) #144363
Description
Bug report
Bug description:
Hello! 👋
Please upgrade bundled Expat to 2.7.4 (e.g. for the fixes to CVE-2026-24515 and CVE-2026-25210).
- Blog post: https://blog.hartwork.org/posts/expat-2-7-4-released/
- GitHub release: https://github.com/libexpat/libexpat/releases/tag/R_2_7_4
- Change log: https://github.com/libexpat/libexpat/blob/R_2_7_4/expat/Changes
The CPython issue for previous 2.7.3 was #139312 and the related merged main pull request was #139319, in case you want to have a look. (The Dockerfile from comment #123689 (review) could be of help with raising confidence in a bump pull request when going forward.)
Thanks in advance!
CPython versions tested on:
3.9, 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, CPython main branch
Operating systems tested on:
Linux, macOS, Windows, Other
Linked PRs
- gh-144363: Update bundled libexpat to 2.7.4 #144365
- [3.14] gh-144363: Update bundled libexpat to 2.7.4 (GH-144365) #144499
- [3.13] gh-144363: Update bundled libexpat to 2.7.4 (GH-144365) #144500
- [3.12] gh-144363: Update bundled libexpat to 2.7.4 (GH-144365) #144501
- [3.11] gh-144363: Update bundled libexpat to 2.7.4 (GH-144365) #144514
- [3.10] gh-144363: Update bundled libexpat to 2.7.4 (GH-144365) #144515