Expat 2.4.0 (and 2.4.1) with security fixes released
May 23, 2021
Submitted by Sebastian Pipping.
There is a longer version of this article at blog.hartwork.org.
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
Expat 2.4.0 and follow-up release 2.4.1 have both been released earlier today. Release 2.4.0 fixes long known security issue
CVE-2013-0340 by adding protection against so-called Billion Laughs Attacks, a form of denial of service against applications accepting XML input, in all known variations, including recent flavor Parameter Laughs.
Besides this security fix, there is the usual bunch of fixes and improvements in tooling, documentation, and the two build systems. For more details, please check out the change log.
If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.1. Thank you!
This article first appeared at blog.hartwork.org.