Expat 2.2.7 with security fixes has been released

June 26, 2019

Submitted by Sebastian Pipping.

libexpat is a fast streaming XML parser written in C. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C. It is cross-platform and licensed under the MIT license.

Expat 2.2.7 has been released a few days ago. Besides improvements to the build system, 2.2.7 fixes security issue CVE-2018-20843 that allowed use of specially crafted XML to cause Denial of Service. The issue was found during fuzzing of LibreOffice by the Chromium team and reported by Caolán McNamara.

With regard to Denial of Service protection, libexpat still needs a partner to sponsor additional development workforce — my own time remaining free but limited — to prevent Denial of Service through Billion laughs attacks by default, for the masses, with sane defaults, and with knobs for tuning. If you operate software accepting XML from the internet in an enterprise and aim at 99.9%-and-beyond availability per year, please get in touch.

For more details regarding the latest release, please check out the changelog.

If you maintain Expat packaging and/or a bundled copy of Expat and/or a pinned version of Expat somewhere, please update to 2.2.7. Thank you!

Sebastian Pipping

This article first appeared at blog.hartwork.org.

News items may be commercial in nature and are published as received.