Ubuntu
expat package

Change logs for expat source package in Xenial

  1. Xenial (16.04)
  2. Change log 
  • expat (2.1.0-7ubuntu0.16.04.5) xenial-security; urgency=medium

  * SECURITY UPDATE: heap-based buffer over-read
    - debian/patches/CVE-2019-15903.patch: Deny internal
      entities closing the doctype in lib/xmlparse.c.
    - CVE-2019-15903

 -- <email address hidden> (Leonidas S. Barbosa)  Tue, 10 Sep 2019 15:27:03 -0300
  • expat (2.1.0-7ubuntu0.16.04.4) xenial-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-20843.patch: adds a break in
      setElementTypePrefix avoiding consume a high amount of RAM
      and CPU in lib/xmlparser.c
    - CVE-2018-20843

 -- <email address hidden> (Leonidas S. Barbosa)  Wed, 26 Jun 2019 12:09:36 -0300
  • expat (2.1.0-7ubuntu0.16.04.3) xenial-security; urgency=medium

  * SECURITY UPDATE: external entity infinite loop
    - debian/patches/CVE-2017-9233.patch: add check to lib/xmlparse.c.
    - CVE-2017-9233

 -- Marc Deslauriers <email address hidden>  Tue, 27 Jun 2017 09:05:33 -0400
  • expat (2.1.0-7ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: unanticipated internal calls to srand
    - debian/patches/CVE-2012-6702-1.patch: remove srand, use more entropy
      in lib/xmlparse.c.
    - debian/patches/CVE-2012-6702-2.patch: use a prime that fits 32bits on
      32bit platforms in lib/xmlparse.c.
    - CVE-2012-6702
  * SECURITY UPDATE: use of too little entropy
    - debian/patches/CVE-2016-5300-1.patch: extract method
      gather_time_entropy in lib/xmlparse.c.
    - debian/patches/CVE-2016-5300-2.patch: extract entropy from XML_Parser
      address in lib/xmlparse.c.
    - CVE-2016-5300

 -- Marc Deslauriers <email address hidden>  Fri, 10 Jun 2016 08:48:04 -0400
  • expat (2.1.0-7ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible code execution via
    malformed documents
    - debian/patches/CVE-2016-0718.patch: fix out of bounds memory access
      and integer overflow in lib/xmlparse.c, lib/xmltok.c, lib/xmltok.h,
      lib/xmltok_impl.c.
    - CVE-2016-0718
  * SECURITY UPDATE: integer overflows in XML_GetBuffer
    - debian/patches/CVE-2015-1283-refix.patch: improved existing fix in
      lib/xmlparse.c.
    - CVE-2015-1283

 -- Marc Deslauriers <email address hidden>  Mon, 16 May 2016 12:47:07 -0400
  • expat (2.1.0-7) unstable; urgency=high

  * Fix CVE-2015-1283, multiple integer overflows in the XML_GetBuffer
    function (closes: #793484).
  * Update Standards-Version to 3.9.6 .

 -- Laszlo Boszormenyi (GCS) <email address hidden>  Fri, 24 Jul 2015 14:48:45 +0000