python includes expat-2.1.1 sources, which has some vulnerabilities. I have reported upstream: http://bugs.python.org/issue29591
Some options to solve it:
I think the best option would be to use system expat. For example:
````diff
diff --git a/3.5/alpine/Dockerfile b/3.5/alpine/Dockerfile
index a867fb8..a122e96 100644
--- a/3.5/alpine/Dockerfile
+++ b/3.5/alpine/Dockerfile
@@ -50,6 +50,7 @@ RUN set -ex
ncurses-dev
openssl
openssl-dev
I'd rather stick to upstream sources since we could run into a scenario where the system expat is too new (or old), but it should be ok to build with system expat until they push a fix.
Looks like they finally fixed it upstream. http://bugs.python.org/issue29591
Upstream commit for 3.5 branch: https://github.com/python/cpython/commit/8c797ed8a0fea5e3162b9415f13e270d4d5d9549
Looks like this was in the 3.5.4 release and thus fixed.
Most helpful comment
Looks like they finally fixed it upstream. http://bugs.python.org/issue29591
Upstream commit for 3.5 branch: https://github.com/python/cpython/commit/8c797ed8a0fea5e3162b9415f13e270d4d5d9549