-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  expat (SSA:2022-016-01)

New expat packages are available for Slackware 14.0, 14.1, 14.2, and -current to
fix security issues.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/expat-2.4.3-i586-1_slack14.2.txz:  Upgraded.
  Fix issues with left shifts by >=29 places resulting in:
    a) realloc acting as free
    b) realloc allocating too few bytes
    c) undefined behavior
  Fix integer overflow on variable m_groupSize in function doProlog leading
  to realloc acting as free. Impact is denial of service or other undefined
  behavior.
  Prevent integer overflows near memory allocation at multiple places.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46143
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22822
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22823
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22824
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22826
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(https://osuosl.org/) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://www.slackware.com/ for
additional mirror sites near you.

Updated package for Slackware 14.0:

Updated package for Slackware x86_64 14.0:

Updated package for Slackware 14.1:

Updated package for Slackware x86_64 14.1:

Updated package for Slackware 14.2:

Updated package for Slackware x86_64 14.2:

Updated package for Slackware -current:

Updated package for Slackware x86_64 -current:


MD5 signatures:
+-------------+

Slackware 14.0 package:
221489b3cc531df86e938f4b5f86f333  expat-2.4.3-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
567acea852c48adddc4ddb54d7d31b8c  expat-2.4.3-x86_64-1_slack14.0.txz

Slackware 14.1 package:
955d3d04dbe44c58328003e29ab83cef  expat-2.4.3-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
cdedf19fe237eb09786d54c8295658fc  expat-2.4.3-x86_64-1_slack14.1.txz

Slackware 14.2 package:
dc1121c0f3c2e331ee162586103bc61d  expat-2.4.3-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
0476a33c23c7398cce3f48c508538d56  expat-2.4.3-x86_64-1_slack14.2.txz

Slackware -current package:
170535aa026a821b7434a3a4a6987b41  l/expat-2.4.3-i586-1.txz

Slackware x86_64 -current package:
6b978051bba045d94e53890bc5289f49  l/expat-2.4.3-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg expat-2.4.3-i586-1_slack14.2.txz


+-----+

Slackware: 2022-016-01: expat Security Update

January 16, 2022
New expat packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues

Summary

Here are the details from the Slackware 14.2 ChangeLog: patches/packages/expat-2.4.3-i586-1_slack14.2.txz: Upgraded. Fix issues with left shifts by >=29 places resulting in: a) realloc acting as free b) realloc allocating too few bytes c) undefined behavior Fix integer overflow on variable m_groupSize in function doProlog leading to realloc acting as free. Impact is denial of service or other undefined behavior. Prevent integer overflows near memory allocation at multiple places. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46143 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22822 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22823 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22824 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22826 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827 (* Security fix *)

Where Find New Packages

Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you.
Updated package for Slackware 14.0:
Updated package for Slackware x86_64 14.0:
Updated package for Slackware 14.1:
Updated package for Slackware x86_64 14.1:
Updated package for Slackware 14.2:
Updated package for Slackware x86_64 14.2:
Updated package for Slackware -current:
Updated package for Slackware x86_64 -current:

MD5 Signatures

Slackware 14.0 package: 221489b3cc531df86e938f4b5f86f333 expat-2.4.3-i486-1_slack14.0.txz
Slackware x86_64 14.0 package: 567acea852c48adddc4ddb54d7d31b8c expat-2.4.3-x86_64-1_slack14.0.txz
Slackware 14.1 package: 955d3d04dbe44c58328003e29ab83cef expat-2.4.3-i486-1_slack14.1.txz
Slackware x86_64 14.1 package: cdedf19fe237eb09786d54c8295658fc expat-2.4.3-x86_64-1_slack14.1.txz
Slackware 14.2 package: dc1121c0f3c2e331ee162586103bc61d expat-2.4.3-i586-1_slack14.2.txz
Slackware x86_64 14.2 package: 0476a33c23c7398cce3f48c508538d56 expat-2.4.3-x86_64-1_slack14.2.txz
Slackware -current package: 170535aa026a821b7434a3a4a6987b41 l/expat-2.4.3-i586-1.txz
Slackware x86_64 -current package: 6b978051bba045d94e53890bc5289f49 l/expat-2.4.3-x86_64-1.txz

Severity
[slackware-security] expat (SSA:2022-016-01)
New expat packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

Installation Instructions

Installation instructions: Upgrade the package as root: # upgradepkg expat-2.4.3-i586-1_slack14.2.txz

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved