Expat 2.5.0 released, includes security fixes
October 25, 2022
Submitted by Sebastian Pipping.
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
Expat 2.5.0 has been released earlier today. Most importantly, this release fixes CVE-2022-43680: a heap use-after-free vulnerability after overeager destruction of a shared DTD in function
XML_ExternalEntityParserCreate in out-of-memory situations, with expected impact of denial of service or potentially arbitrary code execution. There are non-security bugfixes and other improvements, too. For more details, please check out the change log.
If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.5.0. Thank you!
This article first appeared at blog.hartwork.org.