* [Buildroot] [PATCH 1/1] package/expat: security bump to version 2.6.0
@ 2024-02-06 20:42 Fabrice Fontaine
2024-02-06 20:52 ` Peter Korsgaard
2024-02-29 22:01 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2024-02-06 20:42 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
Security fixes:
- CVE-2023-52425: Fix quadratic runtime issues with big tokens that can
cause denial of service, in partial where dealing with compressed XML
input. Applications that parsed a document in one go -- a single call
to functions XML_Parse or XML_ParseBuffer -- were not affected. The
smaller the chunks/buffers you use for parsing previously, the bigger
the problem prior to the fix.
- CVE-2023-52426: Fix billion laughs attacks for users compiling
*without* XML_DTD defined (which is not common). Users with XML_DTD
defined have been protected since Expat >=2.4.0 (and that was
CVE-2013-0340 back then).
https://blog.hartwork.org/posts/expat-2-6-0-released/
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/expat/expat.hash | 8 ++++----
package/expat/expat.mk | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/package/expat/expat.hash b/package/expat/expat.hash
index c6c25aa3e0..043501378b 100644
--- a/package/expat/expat.hash
+++ b/package/expat/expat.hash
@@ -1,7 +1,7 @@
-# From https://sourceforge.net/projects/expat/files/expat/2.5.0/
-md5 ac6677b6d1b95d209ab697ce8b688704 expat-2.5.0.tar.xz
-sha1 5178e13c1e34f4643d5118d5758babfe0e836fe2 expat-2.5.0.tar.xz
+# From https://sourceforge.net/projects/expat/files/expat/2.6.0/
+md5 bd169cb11f4b9bdfddadf9e88a5c4d4b expat-2.6.0.tar.xz
+sha1 d87e8ab2a3c1deb858c6b22e5ade9d5673086004 expat-2.6.0.tar.xz
# Locally calculated
-sha256 ef2420f0232c087801abf705e89ae65f6257df6b7931d37846a193ef2e8cdcbe expat-2.5.0.tar.xz
+sha256 cb5f5a8ea211e1cabd59be0a933a52e3c02cc326e86a4d387d8d218e7ee47a3e expat-2.6.0.tar.xz
sha256 122f2c27000472a201d337b9b31f7eb2b52d091b02857061a8880371612d9534 COPYING
diff --git a/package/expat/expat.mk b/package/expat/expat.mk
index 6f22024cc0..5f4016e0d1 100644
--- a/package/expat/expat.mk
+++ b/package/expat/expat.mk
@@ -4,7 +4,7 @@
#
################################################################################
-EXPAT_VERSION = 2.5.0
+EXPAT_VERSION = 2.6.0
EXPAT_SITE = http://downloads.sourceforge.net/project/expat/expat/$(EXPAT_VERSION)
EXPAT_SOURCE = expat-$(EXPAT_VERSION).tar.xz
EXPAT_INSTALL_STAGING = YES
--
2.43.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/expat: security bump to version 2.6.0
2024-02-06 20:42 [Buildroot] [PATCH 1/1] package/expat: security bump to version 2.6.0 Fabrice Fontaine
@ 2024-02-06 20:52 ` Peter Korsgaard
2024-02-29 22:01 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2024-02-06 20:52 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Security fixes:
> - CVE-2023-52425: Fix quadratic runtime issues with big tokens that can
> cause denial of service, in partial where dealing with compressed XML
> input. Applications that parsed a document in one go -- a single call
> to functions XML_Parse or XML_ParseBuffer -- were not affected. The
> smaller the chunks/buffers you use for parsing previously, the bigger
> the problem prior to the fix.
> - CVE-2023-52426: Fix billion laughs attacks for users compiling
> *without* XML_DTD defined (which is not common). Users with XML_DTD
> defined have been protected since Expat >=2.4.0 (and that was
> CVE-2013-0340 back then).
> https://blog.hartwork.org/posts/expat-2-6-0-released/
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/expat: security bump to version 2.6.0
2024-02-06 20:42 [Buildroot] [PATCH 1/1] package/expat: security bump to version 2.6.0 Fabrice Fontaine
2024-02-06 20:52 ` Peter Korsgaard
@ 2024-02-29 22:01 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2024-02-29 22:01 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Security fixes:
> - CVE-2023-52425: Fix quadratic runtime issues with big tokens that can
> cause denial of service, in partial where dealing with compressed XML
> input. Applications that parsed a document in one go -- a single call
> to functions XML_Parse or XML_ParseBuffer -- were not affected. The
> smaller the chunks/buffers you use for parsing previously, the bigger
> the problem prior to the fix.
> - CVE-2023-52426: Fix billion laughs attacks for users compiling
> *without* XML_DTD defined (which is not common). Users with XML_DTD
> defined have been protected since Expat >=2.4.0 (and that was
> CVE-2013-0340 back then).
> https://blog.hartwork.org/posts/expat-2-6-0-released/
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2023.02.x and 2023.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-02-29 22:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-06 20:42 [Buildroot] [PATCH 1/1] package/expat: security bump to version 2.6.0 Fabrice Fontaine
2024-02-06 20:52 ` Peter Korsgaard
2024-02-29 22:01 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox