oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Expat 2.2.1 security fixes

From: Sebastian Pipping <sebastian () pipping org>
Date: Sun, 18 Jun 2017 01:20:31 +0200
Hi!


Expat 2.2.1 has been released.  The change log has more details [2] than
this mail, including commit SHA1s.
For a quick overview of the security fixes and CVEs, we have:

   CVE-2017-9233  External entity infinite loop DoS [1]
  (CVE-2016-9063) Integer overflow (re-fix)
             n/a  More integer overflow fixes
  (CVE-2016-0718) Fix regression bugs from 2.2.0's fix to CVE-2016-0718
  (CVE-2016-5300) Use os-specific entropy sources like getrandom
             n/a  No longer leak parser pointer information
             n/a  Prevent use of uninitialised variables
             n/a  Add missing API parameter validation (NULL, len<0)
  (CVE-2012-0876) Counter hash flooding with SipHash

If you control copies of Expat somewhere, please get them updated.

Best



Sebastian


[1] https://libexpat.github.io/doc/cve-2017-9233/
[2] https://github.com/libexpat/libexpat/blob/master/expat/Changes
Previous By Date Next
Previous By Thread Next

Current thread: