Expat 2.2.8 with security fixes has been released

September 14, 2019

Submitted by Sebastian Pipping.

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C. It is cross-platform and licensed under the MIT license.

Expat 2.2.8 has been released yesterday. This release fixes a security issue — a heap buffer over-read known as CVE-2019-15903 reported by Joonun Jang resulting in Denial of Service —, starts using the rand_s function on Windows and MinGW (ending the previous LoadLibrary hack), includes non-security bugfixes, many build system fixes and improvements, improvements to xmlwf usability, and more.

For more details regarding the latest release, please check out the changelog.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.2.8. Thank you!

Sebastian Pipping

This article first appeared at blog.hartwork.org.

News items may be commercial in nature and are published as received.