-
expat (2.2.5-3ubuntu0.9) bionic-security; urgency=medium
* SECURITY REGRESSION: Tests failed
- debian/patches/CVE-2022-43680-1.patch: backport patch
to work for this version in expat/tests/runtests.c.
-- David Fernandez Gonzalez <email address hidden> Fri, 18 Nov 2022 11:57:30 +0100
-
expat (2.2.5-3ubuntu0.8) bionic-security; urgency=medium
* SECURITY UPDATE: use-after-free
- debian/patches/CVE-2022-40674.patch: adds a conditional call to
storeRawNames() in func internalEntityProcessor following a call
to doCOntent() that could result in unbalanced tags upon returning.
- CVE-2022-40674
* SECURITY UPDATE: use-after-free
- debian/patches/CVE-2022-43680-1.patch: adds tests to cover
DTD destruction in XML_ExternalEntityParserCreate in
expat/tests/runtests.c.
- debian/patches/CVE-2022-43680-2.patch: fix overeager DTD
destruction in XML_ExternalEntityParserCreate in
expat/lib/xmlparse.c.
- CVE-2022-43680
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 08 Nov 2022 07:13:44 -0300
-
expat (2.2.5-3ubuntu0.7) bionic-security; urgency=medium
* SECURITY UPDATE: Stack exhaustion
- debian/patches/CVE-2022-25313.patch: prevent
stack exhaustion in build_model in expat/lib/xmlparse.c.
- debian/patches/fix-build_model-regression.patch: fix build_model
regression in expat/lib/xmlparse.c.
- CVE-2022-25313
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2022-25314.patch: prevent integer overflow in
copyString in expat/lib/xmlparse.c.
- CVE-2022-25314
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2022-25315.patch: prevent integer overflow in
storeRawNames in expat/lib/xmlparse.c.
- CVE-2022-25315
* SECURITY UPDATE: relax fix to CVE-2022-25236 with regard to
RFC 3986 URI characters and possibly regressions
- debian/patches/CVE-2022-25236-3.patch: add a note on namespace URI
validation in expat/doc/reference.html, expat/lib/expat.h.
- debian/patches/CVE-2022-25236-4.patch: document namespace separator
effect right in header expat/lib/expat.h.
- debian/patches/CVE-2022-25236-5.patch: cover relaxed fix in tests.
- debian/patches/CVE-2022-25236-6.patch: relax fix with regard to
RFC 3986 URI characters in expat/lib/xmlparse.c. (LP: #1963903)
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 08 Mar 2022 09:28:37 -0300
-
expat (2.2.5-3ubuntu0.4) bionic-security; urgency=medium
* SECURITY UPDATE: Realloc misbehavior
- debian/patches/CVE-2021-45960.patch: detect and prevent troublesome
left shifts in function storeAtts in expat/lib/xmlparse.c.
- CVE-2021-45960
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2021-46143.patch: prevent integer overflow
on m_groupSize in function doProlog in expat/lib/xmlparse.c.
- CVE-2021-46143
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2022-22822-to-CVE-2022-22827.patch: prevent integer overflow
in multiple places in expat/lib/xmlparse.c.
- CVE-2022-22822
- CVE-2022-22823
- CVE-2022-22824
- CVE-2022-22825
- CVE-2022-22826
- CVE-2022-22827
* SECURITY UPDATE: Signed integer overflow
- debian/patches/CVE-2022-23852-*.patch: detect and prevent
integer overflow in XML_GetBuffer in expat/lib/xmlparse.c and
adds test to cover it in expat/tests/runtests.c.
- CVE-2022-23852
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2022-23990.patch: prevent integer overflow in
doProlog in expat/lib/xmlparse.c.
- CVE-2022-23990
* SECURITY UPDATE: Incomplete validation encoding
- debian/patches/CVE-2022-25235-*.patch: adds missing validation
and adds tests in expat/lib/xmltok_impl.c, expat/tests/runtests.c.
- CVE-2022-25235
* SECURITY UPDATE: Namespace-separator insertions
- debian/patches/CVE-2022-25236-*.patch: Protect against malicious
namespace declarations in expat/lib/xmlparse.c, expat/tests/runtests.c.
- CVE-2022-25236
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 17 Feb 2022 20:38:16 -0300
-
expat (2.2.5-3ubuntu0.2) bionic-security; urgency=medium
* SECURITY UPDATE: heap-based buffer over-read
- debian/patches/CVE-2019-15903.patch: Deny internal
entities closing the doctype in expat/lib/xmlparse.c.
- CVE-2019-15903
-- <email address hidden> (Leonidas S. Barbosa) Tue, 10 Sep 2019 15:05:44 -0300
-
expat (2.2.5-3ubuntu0.1) bionic-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-20843.patch: adds a break in
setElementTypePrefix avoiding consume a high amount of RAM
and CPU in expat/lib/xmlparser.c
- CVE-2018-20843
-- <email address hidden> (Leonidas S. Barbosa) Wed, 26 Jun 2019 12:14:29 -0300
-
expat (2.2.5-3) unstable; urgency=medium
* Don't install irrelevant README.md (closes: #884818).
-- Laszlo Boszormenyi (GCS) <email address hidden> Wed, 20 Dec 2017 00:17:04 +0000
-
expat (2.2.5-2) unstable; urgency=medium
* Upload to Sid.
* Install AUTHORS file.
* Update project homepage.
* Migrate d/copyright to format 1.0 .
* Update debhelper level to 11 .
-- Laszlo Boszormenyi (GCS) <email address hidden> Sun, 17 Dec 2017 07:33:25 +0000
-
expat (2.2.5-0ubuntu2) bionic; urgency=medium
* New upstream version.
* Bump standards version.
* Adjust build system for upstream change to autotools.
-- Matthias Klose <email address hidden> Wed, 06 Dec 2017 17:40:35 +0100
-
expat (2.2.5-0ubuntu1) bionic; urgency=medium
* New upstream version.
* Bump standards version.
* Adjust build system for upstream change to autotools.
-- Matthias Klose <email address hidden> Wed, 06 Dec 2017 17:40:35 +0100
-
expat (2.2.3-2) unstable; urgency=medium
* Do not install .la files (closes: #880110).
* Don't expose libbsd-dev dependency on libexpat1-dev .
* Update Standards-Version to 4.1.1:
- change libexpat1-udeb priority to optional.
-- Laszlo Boszormenyi (GCS) <email address hidden> Sun, 05 Nov 2017 13:01:19 +0000
-
expat (2.2.3-1) unstable; urgency=medium
* New upstream release.
* Remove dh-autoreconf build dependency.
-- Laszlo Boszormenyi (GCS) <email address hidden> Wed, 02 Aug 2017 19:54:40 +0000
