Bug 25019 - expat new security issue fixed upstream in 2.2.7 (CVE-2018-20843)
Summary: expat new security issue fixed upstream in 2.2.7 (CVE-2018-20843)
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-28 14:13 CEST by David Walser
Modified: 2019-08-12 21:38 CEST (History)
2 users (show)

See Also:
Source RPM: expat-2.2.6-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-06-28 14:13:21 CEST
Expat 2.2.7 has been released on June 19:
https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes

The upstream author says that it fixes one CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843

Mageia 6 is also affected.
David Walser 2019-06-28 14:13:35 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Lewis Smith 2019-06-28 17:27:52 CEST
I think this is yours, Shlomi.

CC: (none) => lewyssmith
Assignee: bugsquad => shlomif

Comment 2 David Walser 2019-08-11 22:37:03 CEST
Debian has issued an advisory for this on June 28:
https://www.debian.org/security/2019/dsa-4472
Comment 3 David Walser 2019-08-11 23:11:44 CEST
Ubuntu has issued an advisory for this on June 26:
https://usn.ubuntu.com/4040-1/
Comment 4 David Walser 2019-08-12 15:42:28 CEST
Shlomi updated Cauldron to 2.2.7 on June 29.

Shlomi uploaded an updated package for Mageia 7.  Waiting for Mageia 6...

expat-2.2.7-1.mga7
libexpat1-2.2.7-1.mga7
libexpat-devel-2.2.7-1.mga7

Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Version: Cauldron => 7

Comment 5 David Walser 2019-08-12 21:38:47 CEST
Advisory:
========================

Updated expat packages fix security vulnerability:

It was discovered that Expat did not properly handled XML input including XML
names that contain a large number of colons, potentially resulting in denial of
service (CVE-2018-20843).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
https://www.debian.org/security/2019/dsa-4472
========================

Updated packages in core/updates_testing:
========================
expat-2.2.7-1.mga6
libexpat1-2.2.7-1.mga6
libexpat-devel-2.2.7-1.mga6
expat-2.2.7-1.mga7
libexpat1-2.2.7-1.mga7
libexpat-devel-2.2.7-1.mga7

from SRPMS:
expat-2.2.7-1.mga6.src.rpm
expat-2.2.7-1.mga7.src.rpm

Assignee: shlomif => qa-bugs
CC: (none) => shlomif


Note You need to log in before you can comment on or make changes to this bug.