Reference: https://www.openwall.com/lists/oss-security/2026/01/31/1
Whiteboard: (none) => MGA9TOOSource RPM: (none) => expat-2.7.3-1.mga10.src.rpm, expat-2.7.3-1.mga9.src.rpmCVE: (none) => CVE-2026-24515, CVE-2026-25210Status comment: (none) => Fixed upstream in 2.7.4Flags: (none) => affects_mga9+
For Cauldron, I asked for a freeze move. Suggested advisory: ======================== The updated packages fix security vulnerabilities: In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. (CVE-2026-24515) In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. (CVE-2026-25210) References: https://www.openwall.com/lists/oss-security/2026/01/31/1 ======================== Updated packages in core/updates_testing: ======================== expat-2.7.4-1.mga9 lib(64)expat1-2.7.4-1.mga9 lib(64)expat-devel-2.7.4-1.mga9 from SRPM: expat-2.7.4-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Source RPM: expat-2.7.3-1.mga10.src.rpm, expat-2.7.3-1.mga9.src.rpm => expat-2.7.3-1.mga9.src.rpmStatus comment: Fixed upstream in 2.7.4 => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 9Flags: affects_mga9+ => (none)Assignee: bugsquad => qa-bugs
MGA9-64 server Plasma Wayland on Compaq H000SB. No installation issues. Followed instructions from wiki: https://wiki.mageia.org/en/QA_procedure:Expat $ python testexpat.py Tested OK $ xmlwf /etc/xml/catalog $ xmlwf /etc/passwd /etc/passwd:1:16: not well-formed (invalid token) Looks OK.
Flags: (none) => test_passed_mga9_64+CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Keywords: (none) => advisory
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2026-0031.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED