oss-sec mailing list archives
Expat 2.2.1 security fixes
From: Sebastian Pipping <sebastian () pipping org>
Date: Sun, 18 Jun 2017 01:20:31 +0200
Hi! Expat 2.2.1 has been released. The change log has more details [2] than this mail, including commit SHA1s. For a quick overview of the security fixes and CVEs, we have: CVE-2017-9233 External entity infinite loop DoS [1] (CVE-2016-9063) Integer overflow (re-fix) n/a More integer overflow fixes (CVE-2016-0718) Fix regression bugs from 2.2.0's fix to CVE-2016-0718 (CVE-2016-5300) Use os-specific entropy sources like getrandom n/a No longer leak parser pointer information n/a Prevent use of uninitialised variables n/a Add missing API parameter validation (NULL, len<0) (CVE-2012-0876) Counter hash flooding with SipHash If you control copies of Expat somewhere, please get them updated. Best Sebastian [1] https://libexpat.github.io/doc/cve-2017-9233/ [2] https://github.com/libexpat/libexpat/blob/master/expat/Changes
Current thread:
- Expat 2.2.1 security fixes Sebastian Pipping (Jun 17)