OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Expat 2.2.7 with security fixes has been released

Hi everyone!

Expat 2.2.7 [1] has been released a few days ago.  Besides
improvements to the build system, 2.2.7 fixes security issue
CVE-2018-20843 [2] that allowed use of specially crafted XML to
cause Denial of Service.  The issue was found during fuzzing of
LibreOffice by the Chromium team and reported by Caolán McNamara.

With regard to Denial of Service protection, libexpat still needs
a partner to sponsor additional development workforce — my own time
remaining free but limited — to prevent Denial of Service through
Billion laughs attacks [3] by default, for the masses, with sane
defaults, and with knobs for tuning.  If you operate software
accepting XML from the internet in an enterprise and aim at 99.9%-
and-beyond availability per year, please get in touch.

For more details regarding the latest release, please check out the
change log [4].

If you maintain Expat packaging and/or a bundled copy of Expat
and/or a pinned version of Expat somewhere, please update to 2.2.7.
Thank you!


Sebastian Pipping

[1] https://github.com/libexpat/libexpat/releases/tag/R_2_2_7
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
[3] https://en.wikipedia.org/wiki/Billion_laughs_attack
[4] https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS