An update for mozjs78 is now available for openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1815 Final 1.0 1.0 2024-07-05 Initial 2024-07-05 2024-07-05 openEuler SA Tool V1.0 2024-07-05 mozjs78 security update An update for mozjs78 is now available for openEuler-20.03-LTS-SP4 Security Fix(es): In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).(CVE-2021-45960) xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.(CVE-2022-25235) An update for mozjs78 is now available for openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical mozjs78 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1815 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2021-45960 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2022-25235 https://nvd.nist.gov/vuln/detail/CVE-2021-45960 https://nvd.nist.gov/vuln/detail/CVE-2022-25235 openEuler-20.03-LTS-SP4 mozjs78-78.4.0-9.oe2003sp4.aarch64.rpm mozjs78-debuginfo-78.4.0-9.oe2003sp4.aarch64.rpm mozjs78-debugsource-78.4.0-9.oe2003sp4.aarch64.rpm mozjs78-devel-78.4.0-9.oe2003sp4.aarch64.rpm mozjs78-78.4.0-9.oe2003sp4.src.rpm mozjs78-78.4.0-9.oe2003sp4.x86_64.rpm mozjs78-debuginfo-78.4.0-9.oe2003sp4.x86_64.rpm mozjs78-debugsource-78.4.0-9.oe2003sp4.x86_64.rpm mozjs78-devel-78.4.0-9.oe2003sp4.x86_64.rpm mozjs78-help-78.4.0-9.oe2003sp4.noarch.rpm In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). 2024-07-05 CVE-2021-45960 openEuler-20.03-LTS-SP4 High 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H mozjs78 security update 2024-07-05 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1815 xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. 2024-07-05 CVE-2022-25235 openEuler-20.03-LTS-SP4 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H mozjs78 security update 2024-07-05 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1815