[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
Expat 2.4.0 (and 2.4.1) with security fixes released
- From: Sebastian Pipping <sebastian@pipping.org>
- To: xml-dev@lists.xml.org
- Date: Sun, 23 May 2021 22:34:44 +0200
Hello everyone!
(A *longer* blog-post version of this e-mail is available online at
https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/
.)
Expat 2.4.0 [1] and follow-up release 2.4.1 [2] have both been released
earlier today. Release 2.4.0 fixes long known security issue
CVE-2013-0340 [3] by adding protection against so-called Billion Laughs
Attacks [4], a form of denial of service against applications accepting
XML input, in all known variations, including recent flavor Parameter
Laughs [6].
[..]
Besides this security fix, there is the usual bunch of fixes and
improvements in tooling, documentation, and the two build systems.
For more details, please check out the change log [6].
If you maintain Expat packaging or a bundled copy of Expat or a pinned
version of Expat somewhere, please update to 2.4.1. Thank you!
Best
Sebastian Pipping
[1] https://github.com/libexpat/libexpat/releases/tag/R_2_4_0
[2] https://github.com/libexpat/libexpat/releases/tag/R_2_4_1
[3] https://marc.info/?l=oss-security&m=136580776324285&w=2
[4] https://en.wikipedia.org/wiki/Billion_laughs_attack
[5]
https://blog.hartwork.org/posts/cve-2021-3541-parameter-laughs-fixed-in-libxml2-2-9-11/
[6] https://github.com/libexpat/libexpat/blob/R_2_4_1/expat/Changes
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
