[SECURITY] [DSA 5266-1] expat security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 5266-1] expat security update
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 30 Oct 2022 14:03:23 +0000
Message-id: <[🔎] E1op8uJ-0021jw-7z@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5266-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 30, 2022                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : expat
CVE ID         : CVE-2022-43680
Debian Bug     : 1022743

A heap use-after-free vulnerability after overeager destruction of a
shared DTD in the XML_ExternalEntityParserCreate function in Expat, an
XML parsing C library, may result in denial of service or potentially
the execution of arbitrary code.

For the stable distribution (bullseye), this problem has been fixed in
version 2.2.10-2+deb11u5.

We recommend that you upgrade your expat packages.

For the detailed security status of expat please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/expat

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmNehABfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TT5RAAiDBqtdgoagQspAsmWvoT1IJw0fsx2IFA4ynzyAI33nXegNKfDUGmc9wW
KVm4APPaFWvy9s4hlA7HeMUdRQRxuW2iL5q3Jnkbjcnm1kISTgxPymt0HFeJWr9T
VRSQt0OqUtzzOvNAz2lSd86551EMPa/oS0fvLq/vDTC3mTL1WsoMsouJR+l7potT
MtJf43G10AmfLx+XgSsfmHU2Hvf5S2PO7aEmNHic9HW7bwUqm6KF2lZs5Qo4IVyk
qQ3eKufLg0HZcOi+QMWxpKYzxOR/tnzYHjLAzTI7yjugBBufcaux1kYnB0ULnDLf
Oc+uHXuhttfji4sbEzGB9uWDX+rhtBszcaM/Ww53J8tDy3chnv93pi5em1ABQljr
PjFz/+N4g4tsNgdCTvMjT332kPi6W9zFUA/iB21LP4H7xc3stGCVubZW0UVcvOu2
ubCabr/XQBOtlnc4tj/L9UyQW+Rfqe9x1WHkhwTuHMg8/YcqWljv3LwTz1DXfyFF
0vmSlliOr0POP7I0iJvrw647rVBaNEsVPNqFhPu5Ro5jd5y3gt+f763J692JXfTP
QJc3PaJz37NCdupga7lPu1W5cSLAYtze5JxqH4XJaKFprpaGfo3OFIDas0Z5yIs8
DxMbjmY9VlpMQ8vKfHYPgoKV+NRv9bKKpBLxYI/o4bq8uA4JgpE=
=bLU+
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 5265-1] tomcat9 security update
Next by Date: [SECURITY] [DSA 5267-1] pysha3 security update
Previous by thread: [SECURITY] [DSA 5265-1] tomcat9 security update
Next by thread: [SECURITY] [DSA 5267-1] pysha3 security update
Index(es):
- Date
- Thread