Debian Security Advisory
DSA-3898-1 expat -- security update
- Date Reported:
- 25 Jun 2017
- Affected Packages:
- expat
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2016-9063, CVE-2017-9233.
- More information:
-
Multiple vulnerabilities have been discovered in Expat, an XML parsing C library. The Common Vulnerabilities and Exposures project identifies the following problems:
- CVE-2016-9063
Gustavo Grieco discovered an integer overflow flaw during parsing of XML. An attacker can take advantage of this flaw to cause a denial of service against an application using the Expat library.
- CVE-2017-9233
Rhodri James discovered an infinite loop vulnerability within the entityValueInitProcessor() function while parsing malformed XML in an external entity. An attacker can take advantage of this flaw to cause a denial of service against an application using the Expat library.
For the oldstable distribution (jessie), these problems have been fixed in version 2.1.0-6+deb8u4.
For the stable distribution (stretch), these problems have been fixed in version 2.2.0-2+deb9u1. For the stable distribution (stretch), CVE-2016-9063 was already fixed before the initial release.
For the testing distribution (buster), these problems have been fixed in version 2.2.1-1 or earlier version.
For the unstable distribution (sid), these problems have been fixed in version 2.2.1-1 or earlier version.
We recommend that you upgrade your expat packages.
- CVE-2016-9063