Context Navigation

← Previous Ticket
Next Ticket →

#5933 new enhancement

expat-2.8.1 (Security update)

Reported by:	Bruce Dubbs	Owned by:	lfs-book
Priority:	high	Milestone:	13.1
Component:	Book	Version:	git
Severity:	normal	Keywords:
Cc:

Description

New point version.

Change History (2)

comment:1 by Bruce Dubbs, 27 hours ago

Release 2.8.1 Sun May 10 2026
        Security fixes:
           #1216  CVE-2026-45186 -- Fix quadratic runtime from attribute name
                    collision checks that allowed denial of service attacks
                    through moderately sized crafted XML input (CWE-407).
                    Please note that a layer of compression around XML can
                    significantly reduce the minimum attack payload size.

        Other changes:
     #1209 #1213  Drop more casts related to `void *` that C99 does not need
           #1213  xmlwf: Streamline use of `mmap`
     #1214 #1217  Version info bumped from 13:0:12 (libexpat*.so.1.12.0)
                    to 13:1:12 (libexpat*.so.1.12.1); see https://verbump.de/
                    for what these numbers do

        Infrastructure:
           #1210  CI: Cover compilation with Visual Studio 18 2026 on Windows
           #1215  CI: Cover compilation for ARM64 on Windows
           #1212  CI: Bump WASI SDK from 32 to 33

comment:2 by Douglas R. Reno, 24 hours ago

An update from the maintainer on oss-security:

Hello oss-security,


just a quick note that libexpat 2.8.1 (or "Expat 2.8.1") released
yesterday is fixing CVE-2026-45186:

  Fix quadratic runtime from attribute name collision checks that
  allowed denial of service attacks through moderately sized crafted
  XML input (CWE-407).
  Please note that a layer of compression around XML can significantly
  reduce the minimum attack payload size.

Some key links are:

- The blog post about it
  https://blog.hartwork.org/posts/expat-2-8-1-released/

- The change log of release 2.8.1
  https://github.com/libexpat/libexpat/blob/R_2_8_1/expat/Changes

- The fixing pull request
  https://github.com/libexpat/libexpat/pull/1216

- The NVD CVE metadata
  https://nvd.nist.gov/vuln/detail/CVE-2026-45186

PS: The CVE database lists an unrealistically low CVSS score for this.
    The complexity of an attack is very low (not "High") and the attack
    vector is remote (not "Local"). I have asked Mitre to fix this
    earlier today. My blog post linked above has a few more words on
    that topic.

Best

Sebastian

Note: See TracTickets for help on using tickets.

Download in other formats: