[prev in list] [next in list] [prev in thread] [next in thread]
List: buildroot
Subject: Re: [Buildroot] [PATCH 1/1] package/expat: security bump to version 2.6.0
From: Peter Korsgaard <peter () korsgaard ! com>
Date: 2024-02-29 21:59:53
Message-ID: 87msrjc4mb.fsf () 48ers ! dk
[Download RAW message or body]
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Security fixes:
> - CVE-2023-52425: Fix quadratic runtime issues with big tokens that can
> cause denial of service, in partial where dealing with compressed XML
> input. Applications that parsed a document in one go -- a single call
> to functions XML_Parse or XML_ParseBuffer -- were not affected. The
> smaller the chunks/buffers you use for parsing previously, the bigger
> the problem prior to the fix.
> - CVE-2023-52426: Fix billion laughs attacks for users compiling
> *without* XML_DTD defined (which is not common). Users with XML_DTD
> defined have been protected since Expat >=2.4.0 (and that was
> CVE-2013-0340 back then).
> https://blog.hartwork.org/posts/expat-2-6-0-released/
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2023.02.x and 2023.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic