An update for expat is now available for openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-2057 Final 1.0 1.0 2022-11-11 Initial 2022-11-11 2022-11-11 openEuler SA Tool V1.0 2022-11-11 expat security update An update for expat is now available for openEuler-22.03-LTS. This package provides with static libraries and header files for developing with expat. Security Fix(es): xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.(CVE-2022-25235) xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.(CVE-2022-25236) In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.(CVE-2022-25314) In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.(CVE-2022-25313) In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.(CVE-2022-25315) An update for expat is now available for openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical expat https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2057 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-25235 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-25236 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-25314 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-25313 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-25315 https://nvd.nist.gov/vuln/detail/CVE-2022-25235 https://nvd.nist.gov/vuln/detail/CVE-2022-25236 https://nvd.nist.gov/vuln/detail/CVE-2022-25314 https://nvd.nist.gov/vuln/detail/CVE-2022-25313 https://nvd.nist.gov/vuln/detail/CVE-2022-25315 openEuler-22.03-LTS expat-debuginfo-2.4.1-8.oe2203.aarch64.rpm expat-debugsource-2.4.1-8.oe2203.aarch64.rpm expat-2.4.1-8.oe2203.aarch64.rpm expat-devel-2.4.1-8.oe2203.aarch64.rpm expat-help-2.4.1-8.oe2203.noarch.rpm expat-2.4.1-8.oe2203.src.rpm expat-debuginfo-2.4.1-8.oe2203.x86_64.rpm expat-devel-2.4.1-8.oe2203.x86_64.rpm expat-debugsource-2.4.1-8.oe2203.x86_64.rpm expat-2.4.1-8.oe2203.x86_64.rpm xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. 2022-11-11 CVE-2022-25235 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H expat security update 2022-11-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2057 xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. 2022-11-11 CVE-2022-25236 openEuler-22.03-LTS Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H expat security update 2022-11-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2057 In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. 2022-11-11 CVE-2022-25314 openEuler-22.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H expat security update 2022-11-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2057 In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. 2022-11-11 CVE-2022-25313 openEuler-22.03-LTS Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H expat security update 2022-11-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2057 In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. 2022-11-11 CVE-2022-25315 openEuler-22.03-LTS Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H expat security update 2022-11-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2057