[SECURITY] [DLA 1912-1] expat security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1912-1] expat security update
From: "Chris Lamb" <lamby@debian.org>
Date: Fri, 06 Sep 2019 15:21:17 +0100
Message-id: <[🔎] 8d39c283-c83f-485b-bbc3-ea01e26c56fb@www.fastmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : expat
Version        : 2.1.0-6+deb8u6
CVE IDs        : CVE-2019-15903
Debian Bug     : #939394

It was discovered that there was a heap-based buffer overread
vulnerability in expat, an XML parsing library.

A specially-crafted XML input could fool the parser into changing
from DTD parsing to document parsing too early; a consecutive call to
XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then
resulted in a heap-based buffer overread.

For Debian 8 "Jessie", this issue has been fixed in expat version
2.1.0-6+deb8u6.

We recommend that you upgrade your expat packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl1ya08ACgkQHpU+J9Qx
Hlgg4hAAw3PlG2jksre6RruwAGPVwGNhCRYDtanL3ODUukQiNAlPin6jwPnnkxIs
Z3elxwyuO3yy8H7dmdcTpslQ4mD4WDaNCbq/xults+uMaxDxLZpgHG50VY/dJ8Ql
iTEJ++RuHi66n4xqSYTkmiVb2UABG/+8Ui3x0oVWuBtvTLsfyPYdxTdKGImGRTx9
iMuayZT/AmcIJ39gssTpZbicfZXzIrpx/Jq5nVzPKzd3UFr4pIpc1Da5jAIQFzOn
ivko4+HZK8VB6PjDg5IUj7x1QvYauX0lfK7epdZRjB6WF7jlIQPYGl3nOOCQgZTi
uXz44fvkbncV0LsHWB1PdNAWJHtdXbap0Esip2Gj8407CjJIvA3KQEoezPZhdQtx
7FTuAZ1W0vRsMT0U3K5aLnGgqzKlXqYpdx4WPyDPf5gBqrrDREgqCqZIdjw6aLkj
evJ9eH/z2+IfPvcqHe7SKWicHLbSQWhZTw6YCN1WVkgEJDdIo2qs93ZvoclpgHVi
1zDna9nqrOFTMUoQ9GX6k0a6tpWvC+pbAA0RltUsjS4Ixf3WQPteMyVt6CTTtzh/
II6SWfrNcKRWdM4crwywu/aPNEb/ahSx8eZlTOy/ydG5zB9HBK5+tSHJmfGn3F4b
GSKJ7WDWVPHzjNGTMThpVddioA2RqaqSgLl2t316tW9dLm09qgo=
=UaWh
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1911-1] exim4 security update
Next by Date: [SECURITY] [DLA 1913-1] memcached security update
Previous by thread: [SECURITY] [DLA 1911-1] exim4 security update
Next by thread: [SECURITY] [DLA 1913-1] memcached security update
Index(es):
- Date
- Thread