Debian 10261 Published by

An expat security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address a use-after free caused by overeager destruction of a shared DTD in XML.



ELA-715-1 expat security update

Package expat
Version 2.1.0-6+deb8u10 (jessie), 2.2.0-2+deb9u7 (stretch)
Related CVEs CVE-2022-43680

In src:expat, an XML parsing C library, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

For Debian 8 jessie, these problems have been fixed in version 2.1.0-6+deb8u10.

For Debian 9 stretch, these problems have been fixed in version 2.2.0-2+deb9u7.

We recommend that you upgrade your expat packages.

Further information about Extended LTS security advisories can be found at: debian Extended Long term support

  ELA-715-1 expat security update