Skip to main content

Hartwork Blog

Free Software, Music, Chinese Chess

Expat 2.5.0 released, includes security fixes

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.5.0 has been released earlier today. Most importantly, this release fixes CVE-2022-43680: a heap use-after-free vulnerability after overeager destruction of a shared DTD in function XML_ExternalEntityParserCreate in out-of-memory situations, with expected impact of denial of service or potentially arbitrary code execution. There are non-security bugfixes and other improvements, too. For more details, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.5.0. Thank you!

Sebastian Pipping

uriparser 0.9.7 released

uriparser is a strictly RFC 3986 compliant software libre URI parsing and handling library written in C89 ("ANSI C"). uriparser is cross-platform, fast, supports both char and wchar_t string input natively, and is licensed under the New BSD license.

Earlier today uriparser 0.9.7 has been released. Version 0.9.7 fixes multiple issues with parsing IPv6 URIs, most importantly. For more details, please check out the change log.

If you maintain uriparser packaging or a bundled copy of uriparser or a pinned version of uriparser somewhere, please update to 0.9.7 — thank you!

Sebastian Pipping

Expat 2.4.9 released, includes security fixes

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.4.9 has been released earlier today. Alongside the usual pile of improvements to the build system, most importantly this release fixes CVE-2022-40674: a heap use-after-free vulnerability in function doContent with expected impact of denial of service or potentially arbitrary code execution. For more details, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.9. Thank you!

Sebastian Pipping

Expat 2.4.7 released

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.4.7 has been released a few minutes ago. Most importantly, this release relaxes the fix to CVE-2022-25236 (introduced with release 2.4.5) which some of you have been waiting for, due to related incompatibilities.

For more details, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.7. Thank you!

Sebastian Pipping

Expat 2.4.6 released

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.4.6 has been released a few hours ago. This release fixes a regression introduced by one of the security fixes in 2.4.5.

For more details, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.6. Thank you!

Sebastian Pipping

Expat 2.4.5 released, includes security fixes

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.4.5 has been released a few hours ago. This release is about security fixes. There are 5 CVEs involved:

Regarding impact of vulnerabilities, please note that looking at a vulnerability in isolation may miss part of the picture; e.g. if Expat passes malformed data to the application using Expat and that application isn't preprared for Expat violating their agreed API contract, you may end up with code execution from something that looked close to harmless, in isolation.

For more details, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.5. Thank you!

Sebastian Pipping

Expat 2.4.4 released, includes security fixes

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.4.4 has been released yesterday. Besides a memory leak bugfix to xmlwf and fixes to the build system, this release is about security fixes. There are 2 CVEs involved, both related to fixed-size integer math (integer overflow) near memory allocation, not unlike what we had with 2.4.3 before. Impact is denial of service, or more.

For more details, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.4. Thank you!

Sebastian Pipping

Expat 2.4.3 released, includes security fixes

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.4.3 has been released earlier today. Besides two minor fixes to the build system, this release is about security fixes. There is a total of 8 CVEs fixed, all related to fixed-size integer math (integer overflow and invalid shifts) near memory allocation. Impact is denial of service, or more.

For more details, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.3. Thank you!

Sebastian Pipping