[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
Expat 2.2.7 with security fixes has been released
- From: Sebastian Pipping <sebastian@pipping.org>
- To: xml-dev@lists.xml.org
- Date: Thu, 27 Jun 2019 23:34:32 +0200
Hi everyone!
Expat 2.2.7 [1] has been released a few days ago. Besides
improvements to the build system, 2.2.7 fixes security issue
CVE-2018-20843 [2] that allowed use of specially crafted XML to
cause Denial of Service. The issue was found during fuzzing of
LibreOffice by the Chromium team and reported by Caolán McNamara.
With regard to Denial of Service protection, libexpat still needs
a partner to sponsor additional development workforce — my own time
remaining free but limited — to prevent Denial of Service through
Billion laughs attacks [3] by default, for the masses, with sane
defaults, and with knobs for tuning. If you operate software
accepting XML from the internet in an enterprise and aim at 99.9%-
and-beyond availability per year, please get in touch.
For more details regarding the latest release, please check out the
change log [4].
If you maintain Expat packaging and/or a bundled copy of Expat
and/or a pinned version of Expat somewhere, please update to 2.2.7.
Thank you!
Best
Sebastian Pipping
[1] https://github.com/libexpat/libexpat/releases/tag/R_2_2_7
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
[3] https://en.wikipedia.org/wiki/Billion_laughs_attack
[4] https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
