Security Information / 2017 / Security Information -- DSA-3898-1 expat

Debian Security Advisory

DSA-3898-1 expat -- security update

Date Reported:

25 Jun 2017

Affected Packages:

expat

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-9063, CVE-2017-9233.

More information:

Multiple vulnerabilities have been discovered in Expat, an XML parsing C library. The Common Vulnerabilities and Exposures project identifies the following problems:

• CVE-2016-9063

  Gustavo Grieco discovered an integer overflow flaw during parsing of XML. An attacker can take advantage of this flaw to cause a denial of service against an application using the Expat library.

• CVE-2017-9233

  Rhodri James discovered an infinite loop vulnerability within the entityValueInitProcessor() function while parsing malformed XML in an external entity. An attacker can take advantage of this flaw to cause a denial of service against an application using the Expat library.

For the oldstable distribution (jessie), these problems have been fixed in version 2.1.0-6+deb8u4.

For the stable distribution (stretch), these problems have been fixed in version 2.2.0-2+deb9u1. For the stable distribution (stretch), CVE-2016-9063 was already fixed before the initial release.

For the testing distribution (buster), these problems have been fixed in version 2.2.1-1 or earlier version.

For the unstable distribution (sid), these problems have been fixed in version 2.2.1-1 or earlier version.

We recommend that you upgrade your expat packages.