Debian-LTS has issued an advisory on January 30: https://www.debian.org/lts/security/2022/dla-2904 The issues are fixed upstream in 2.4.4. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.4.4Whiteboard: (none) => MGA8TOOCC: (none) => nicolas.salguero
'expat' is committed by different people, so assigning this update globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. (CVE-2022-23852) Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function. (CVE-2022-23990) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23852 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23990 https://www.debian.org/lts/security/2022/dla-2904 ======================== Updated packages in core/updates_testing: ======================== expat-2.2.10-1.2.mga8 lib(64)expat1-2.2.10-1.2.mga8 lib(64)expat-devel-2.2.10-1.2.mga8 from SRPM: expat-2.2.10-1.2.mga8.src.rpm
Version: Cauldron => 8Assignee: pkg-bugs => qa-bugsWhiteboard: MGA8TOO => (none)Source RPM: expat-2.4.3-1.mga9.src.rpm => expat-2.2.10-1.1.mga8.src.rpmStatus comment: Fixed upstream in 2.4.4 => (none)Status: NEW => ASSIGNEDCVE: (none) => CVE-2022-23852, CVE-2022-23990
Updated all three packages in VirtualBox, with no installation issues. Consulted with https://wiki.mageia.org/en/QA_procedure:Expat for testing procedure: $ python testexpat.py Tested OK $ xmlwf /etc/xml/catalog $ xmlwf /etc/passwd /etc/passwd:1:16: not well-formed (invalid token) It passes the test. Giving it the OK and validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0048.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED