UbuntuUpdates.org

Package "expat"

Name: expat

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • XML parsing C library - runtime library
  • XML parsing C library - development kit

Latest version: 2.4.7-1ubuntu0.2
Release: jammy (22.04)
Level: security
Repository: main

Links



Other versions of "expat" in Jammy

Repository Area Version
base main 2.4.7-1
base universe 2.4.7-1
security universe 2.4.7-1ubuntu0.2
updates main 2.4.7-1ubuntu0.2
updates universe 2.4.7-1ubuntu0.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.4.7-1ubuntu0.2 2022-11-23 13:07:26 UTC

  expat (2.4.7-1ubuntu0.2) jammy-security; urgency=medium

  * SECURITY UPDATE: use-after-free
    - debian/patches/CVE-2022-43680-1.patch: adds tests to cover
      DTD destruction in XML_ExternalEntityParserCreate in
      expat/tests/runtests.c.
    - debian/patches/CVE-2022-43680-2.patch: fix overeager DTD
      destruction in XML_ExternalEntityParserCreate in
      expat/lib/xmlparse.c.
    - CVE-2022-43680

 -- David Fernandez Gonzalez <email address hidden> Fri, 18 Nov 2022 12:21:42 +0100

Source diff to previous version
CVE-2022-43680 In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memo

Version: 2.4.7-1ubuntu0.1 2022-11-17 11:07:23 UTC

  expat (2.4.7-1ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Use-after-free in doContent
    - debian/patches/CVE-2022-40674.patch: ensure storeRawNames()
      is always called in func internalEntityProcessor if handling
      unbalanced tags in expat/lib/xmlparse.c.
    - CVE-2022-40674

 -- David Fernandez Gonzalez <email address hidden> Tue, 15 Nov 2022 16:01:53 +0100

CVE-2022-40674 libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.



About   -   Send Feedback to @ubuntu_updates