[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Expat 2.2.7 with security fixes has been released
Hi everyone! Expat 2.2.7 [1] has been released a few days ago. Besides improvements to the build system, 2.2.7 fixes security issue CVE-2018-20843 [2] that allowed use of specially crafted XML to cause Denial of Service. The issue was found during fuzzing of LibreOffice by the Chromium team and reported by Caolán McNamara. With regard to Denial of Service protection, libexpat still needs a partner to sponsor additional development workforce — my own time remaining free but limited — to prevent Denial of Service through Billion laughs attacks [3] by default, for the masses, with sane defaults, and with knobs for tuning. If you operate software accepting XML from the internet in an enterprise and aim at 99.9%- and-beyond availability per year, please get in touch. For more details regarding the latest release, please check out the change log [4]. If you maintain Expat packaging and/or a bundled copy of Expat and/or a pinned version of Expat somewhere, please update to 2.2.7. Thank you! Best Sebastian Pipping [1] https://github.com/libexpat/libexpat/releases/tag/R_2_2_7 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843 [3] https://en.wikipedia.org/wiki/Billion_laughs_attack [4] https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|