Alerts This Week
Warning Icon 1 626
Alerts This Week
Warning Icon 1 626

Warning: Undefined array key "Description" in /var/www/www.linuxsecurity.com-443/html/lsadvisories/lsadvisories.php on line 220

Fedora: FEDORA-2019-139fcda84d High: Expat Namespace Extraction DoS

fedora
Calendar Grey July 15, 2019
Dist Fedora Esm H88
A remedy for elevated RAM and CPU consumption flaws in the expat XML parser, reducing potential denial-of-service threats in Fedora 29.
This update includes a fix for a security vulnerability, CVE-2018-20843: > Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in th...

Summary

This is expat, the C library for parsing XML, written by James Clark. Expat

is a stream oriented XML parser. This means that you register handlers with

the parser prior to starting the parse. These handlers are called when the

parser discovers the associated structures in the document being parsed. A

start tag is an example of the kind of structures for which you may

register handlers.

This update includes a fix for a security vulnerability, CVE-2018-20843: > Fix

extraction of namespace prefixes from XML names; XML names with multiple colons

could end up in the wrong namespace, and take a high amount of RAM and CPU

resources while processing, opening the door to use for denial-of-service

attacks For more information on the changes in 2.2.7, see the upstream release

notes at: https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5

* Thu Jun 27 2019 Joe Orton - 2.2.7-1

- update to 2.2.7 (#1723724, #1722224)

* Thu Jan 31 2019 Fedora Release Engineering - 2.2.6-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

[ 1 ] Bug #1723724 - CVE-2018-20843 expat: large number of colons in input makes parser consume high amount of resources, leading to DoS [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1723724

[ 2 ] Bug #1722224 - expat-2.2.7 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1722224

su -c 'dnf upgrade --advisory FEDORA-2019-139fcda84d' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Topics%20covered

Topics Covered

security advisory Fedora doS expat namespace extraction RAM usage CPU resources

Change Log

References

Update Instructions

Product: Fedora 29
Version: 2.2.7
Release: 1.fc29
URL: https://libexpat.github.io/
Summary: An XML parser library

Topics%20covered

Topics Covered

security advisory Fedora doS expat namespace extraction RAM usage CPU resources

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here