Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Fedora 30 Expat Security Advisory FEDORA-2019-18868e1715 Moderate: DoS Risk

fedora
Calendar Grey July 9, 2019
Dist Fedora Esm H88
--------------------------------------------------------------------------------Fedora Update Notifi
This update includes a fix for a security vulnerability, CVE_2018-20843: > Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in th...

Summary

This is expat, the C library for parsing XML, written by James Clark. Expat

is a stream oriented XML parser. This means that you register handlers with

the parser prior to starting the parse. These handlers are called when the

parser discovers the associated structures in the document being parsed. A

start tag is an example of the kind of structures for which you may

register handlers.

This update includes a fix for a security vulnerability, CVE_2018-20843: > Fix

extraction of namespace prefixes from XML names; XML names with multiple colons

could end up in the wrong namespace, and take a high amount of RAM and CPU

resources while processing, opening the door to use for denial-of-service

attacks For more information on the changes in 2.2.7, see the upstream release

notes at: https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5

* Thu Jun 27 2019 Joe Orton - 2.2.7-1

- update to 2.2.7 (#1723724, #1722224)

[ 1 ] Bug #1723724 - CVE-2018-20843 expat: large number of colons in input makes parser consume high amount of resources, leading to DoS [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1723724

[ 2 ] Bug #1722224 - expat-2.2.7 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1722224

su -c 'dnf upgrade --advisory FEDORA-2019-18868e1715' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Topics%20covered

Topics Covered

security advisory denial of service Fedora resource consumption expat

Change Log

References

Update Instructions

Product: Fedora 30
Version: 2.2.7
Release: 1.fc30
URL: https://libexpat.github.io/
Summary: An XML parser library

Topics%20covered

Topics Covered

security advisory denial of service Fedora resource consumption expat

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here