Ubuntu has issued an advisory on March 14: https://ubuntu.com/security/notices/USN-6694-1 Mageia 9 is affected by both CVEs but Cauldron is only affected by CVE-2024-28757 and should be updated to version 2.6.2.
Source RPM: (none) => expat-2.6.1-1.mga10.src.rpmCVE: (none) => CVE-2023-52425, CVE-2024-28757Status comment: (none) => Fixed upstream in 2.6.2 and patches available from UbuntuWhiteboard: (none) => MGA9TOO
v2.6.1 is only just in Cauldron ! (Thanks to DavidG). Another case of "Should/Can we similarly update M9?". CVE 28757 has links to these 2 expat patches: https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8 https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8f62d1d7b52695454 libexpat1 is also impled. CVE 52425 leads to no patch. Different people have updated this, so assigning it globally.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210
Assigning to QA, Packages in 9/Core/Updates_testing: ====================== expat-2.6.2-1.mga9 lib64expat-devel-2.6.2-1.mga9 lib64expat1-2.6.2-1.mga9 libexpat-devel-2.6.2-1.mga9 libexpat1-2.6.2-1.mga9 From SRPMS: expat-2.6.2-1.mga9.src.rpm
Version: Cauldron => 9Whiteboard: MGA9TOO => (none)Assignee: pkg-bugs => qa-bugs
MGA9-64 Plasma,i5-7500. No installation issues. Followed the procedure from the wiki, as was used in bug 31057 comment 2 (needed test files are attached to bug 31057) [tom@localhost ~]$ python testexpat.py Tested OK [tom@localhost ~]$ python3 testexpat.py Tested OK [tom@localhost ~]$ xmlwf /etc/xml/catalog [tom@localhost ~]$ xmlwf /etc/passwd /etc/passwd:1:16: not well-formed (invalid token) Looks OK. Validating.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0072.html
Status: NEW => RESOLVEDResolution: (none) => FIXED