For readers new to Expat: libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.6.0 has been released earlier today. Most importantly, this release fixes two security issues — CVE-2023-52425 and CVE-2023-52426 — that can be used to cause denial of service. There are also non-security bugfixes, many improvements to the two official build systems — GNU Autotools and CMake —, enhancements to the documentation and the xmlwf command line tool, new example code element_declarations.c, improved fuzzers, hardened CI security, and many improvements more, both above and below water level. For more details, please check out the change log.

While these are not new learnings, to me this release proved once more that OSS-Fuzz and fuzzing keeps uncovering actual and surprising bugs, and that Clang's AddressSanitizer and UndefinedBehaviorSanitizer have become invaluable to the C/C++ community and can hardly be over-promoted.

I would like to thank everyone who has contributed to this release of Expat in some way, in particular thanks to Snild Dolkow for his work on and around fixing CVE-2023-52425 — two thumbs up!

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.6.0. Thank you!

Sebastian Pipping