Debian Security Advisory

DLA-1912-1 expat -- LTS security update

Date Reported:
06 Sep 2019
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2019-15903.
More information:

It was discovered that there was a heap-based buffer overread vulnerability in expat, an XML parsing library.

  • CVE-2019-15903

    In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

For Debian 8 Jessie, these problems have been fixed in version 2.1.0-6+deb8u6.

We recommend that you upgrade your expat packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: