[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-SUSE-SU-2025:20207-1":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T14:55:33.319Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":34,"duplicates":35,"related":36,"reserved_at":9,"published_at":47,"modified_at":48,"state":9,"summary":49,"references_raw":51,"kevs":136,"epss":9,"epss_history":137,"metrics":138,"affected":139},"SUSE-SU-2025:20207-1","Security update for expat\n\nThis update for expat fixes the following issues:\n\nVersion update to 2.7.1:\n\n* Bug fixes:\n\n  * Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0);\n    affected API functions are:\n\n    - XML_GetCurrentByteCount\n    - XML_GetCurrentByteIndex\n    - XML_GetCurrentColumnNumber\n    - XML_GetCurrentLineNumber\n    - XML_GetInputContext\n\n  * Other changes:\n       #976 #977  Autotools: Integrate files \"fuzz/xml_lpm_fuzzer.{cpp,proto}\"\n                    with Automake that were missing from 2.7.0 release tarballs\n       #983 #984  Fix printf format specifiers for 32bit Emscripten\n            #992  docs: Promote OpenSSF Best Practices self-certification\n            #978  tests/benchmark: Resolve mistaken double close\n            #986  Address compiler warnings\n       #990 #993  Version info bumped from 11:1:10 (libexpat*.so.1.10.1)\n                    to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/\n                    for what these numbers do\n\n        Infrastructure:\n            #982  CI: Start running Perl XML::Parser integration tests\n            #987  CI: Enforce Clang Static Analyzer clean code\n            #991  CI: Re-enable warning clang-analyzer-valist.Uninitialized\n                    for clang-tidy\n            #981  CI: Cover compilation with musl\n       #983 #984  CI: Cover compilation with 32bit Emscripten\n       #976 #977  CI: Protect against fuzzer files missing from future\n                    release archives\n\nVersion update to 2.7.0 (CVE-2024-8176 [bsc#1239618])\n\n* Security fixes:\n  * CVE-2024-8176 -- Fix crash from chaining a large number\n    of entities caused by stack overflow by resolving use of\n    recursion, for all three uses of entities:\n    - general entities in character data (\"\u003Ce>&g1;\u003C/e>\")\n    - general entities in attribute values (\"\u003Ce k1='&g1;'/>\")\n    - parameter entities (\"%p1;\")\n\n   Known impact is (reliable and easy) denial of service:\n\n   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C\n\n   (Base Score: 7.5, Temporal Score: 7.2)\n\n   Please note that a layer of compression around XML can\n   significantly reduce the minimum attack payload size.\n\n   * Other changes:\n     * Document changes since the previous release\n     * Version info bumped from 11:0:10 (libexpat*.so.1.10.0)\n       to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/\n       for what these numbers do\n\nVersion update to 2.6.4:\n\n  * Security fixes: [bsc#1232601][bsc#1232579]\n    * CVE-2024-50602 -- Fix crash within function XML_ResumeParser\n      from a NULL pointer dereference by disallowing function\n      XML_StopParser to (stop or) suspend an unstarted parser.\n      A new error code XML_ERROR_NOT_STARTED was introduced to\n      properly communicate this situation.  // CWE-476 CWE-754\n  * Other changes:\n    * Version info bumped from 10:3:9 (libexpat*.so.1.9.3)\n      to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/\n      for what these numbers do\n\nUpdate to 2.6.3:\n\n  * Security fixes:\n    - CVE-2024-45490, bsc#1229930 -- Calling function XML_ParseBuffer with\n      len \u003C 0 without noticing and then calling XML_GetBuffer\n      will have XML_ParseBuffer fail to recognize the problem\n      and XML_GetBuffer corrupt memory.\n      With the fix, XML_ParseBuffer now complains with error\n      XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse\n      has been doing since Expat 2.2.1, and now documented.\n      Impact is denial of service to potentially artitrary code\n      execution.\n    - CVE-2024-45491, bsc#1229931 -- Internal function dtdCopy can have an\n      integer overflow for nDefaultAtts on 32-bit platforms\n      (where UINT_MAX equals SIZE_MAX).\n      Impact is denial of service to potentially artitrary code\n      execution.\n    - CVE-2024-45492, bsc#1229932 -- Internal function nextScaffoldPart can\n      have an integer overflow for m_groupSize on 32-bit\n      platforms (where UINT_MAX equals SIZE_MAX).\n      Impact is denial of service to potentially artitrary code\n      execution.\n\n  * Other changes:\n\n    - Version info bumped from 10:2:9 (libexpat*.so.1.9.2)\n      to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/\n      for what these numbers do  \n\nUpdate to 2.6.2:\n\n  * CVE-2024-28757 -- Prevent billion laughs attacks with isolated\n    use of external parsers (bsc#1221289)\n  * Reject direct parameter entity recursion and avoid the related\n    undefined behavior\n\nUpdate to 2.6.1:\n\n  * Expose billion laughs API with XML_DTD defined and XML_GE\n    undefined, regression from 2.6.0\n  * Make tests independent of CPU speed, and thus more robust\n\nUpdate to 2.6.0: \n\n  * Security fixes:\n    - CVE-2023-52425 (bsc#1219559)  \n      Fix quadratic runtime issues with big tokens\n      that can cause denial of service, in partial where\n      dealing with compressed XML input.  Applications\n      that parsed a document in one go -- a single call to\n      functions XML_Parse or XML_ParseBuffer -- were not affected.\n      The smaller the chunks/buffers you use for parsing\n      previously, the bigger the problem prior to the fix.\n      Backporters should be careful to no omit parts of\n      pull request #789 and to include earlier pull request #771,\n      in order to not break the fix.\n    - CVE-2023-52426 (bsc#1219561)\n      Fix billion laughs attacks for users\n      compiling *without* XML_DTD defined (which is not common).\n      Users with XML_DTD defined have been protected since\n      Expat >=2.4.0 (and that was CVE-2013-0340 back then).\n  * Bug fixes:\n    - Fix parse-size-dependent \"invalid token\" error for\n      external entities that start with a byte order mark\n    - Fix NULL pointer dereference in setContext via\n      XML_ExternalEntityParserCreate for compilation with\n      XML_DTD undefined\n    - Protect against closing entities out of order\n  * Other changes:\n    - Improve support for arc4random/arc4random_buf\n    - Improve buffer growth in XML_GetBuffer and XML_Parse\n    - xmlwf: Support --help and --version\n    - xmlwf: Support custom buffer size for XML_GetBuffer and read\n    - xmlwf: Improve language and URL clickability in help output\n    - examples: Add new example \"element_declarations.c\"\n    - Be stricter about macro XML_CONTEXT_BYTES at build time\n    - Make inclusion to expat_config.h consistent\n    - Autotools: configure.ac: Support --disable-maintainer-mode\n    - Autotools: Sync CMake templates with CMake 3.26\n    - Autotools: Make installation of shipped man page doc/xmlwf.1\n      independent of docbook2man availability\n    - Autotools|CMake: Add missing -DXML_STATIC to pkg-config file\n      section \"Cflags.private\" in order to fix compilation\n      against static libexpat using pkg-config on Windows\n    - Autotools|CMake: Require a C99 compiler\n      (a de-facto requirement already since Expat 2.2.2 of 2017)\n    - Autotools|CMake: Fix PACKAGE_BUGREPORT variable\n    - Autotools|CMake: Make test suite require a C++11 compiler\n    - CMake: Require CMake >=3.5.0\n    - CMake: Lowercase off_t and size_t to help a bug in Meson\n    - CMake: Sort xmlwf sources alphabetically\n    - CMake|Windows: Fix generation of DLL file version info\n    - CMake: Build tests/benchmark/benchmark.c as well for\n      a build with -DEXPAT_BUILD_TESTS=ON\n    - docs: Document the importance of isFinal + adjust tests\n      accordingly\n    - docs: Improve use of \"NULL\" and \"null\"\n    - docs: Be specific about version of XML (XML 1.0r4)\n      and version of C (C99); (XML 1.0r5 will need a sponsor.)\n    - docs: reference.html: Promote function XML_ParseBuffer more\n    - docs: reference.html: Add HTML anchors to XML_* macros\n    - docs: reference.html: Upgrade to OK.css 1.2.0\n    - docs: Fix typos\n    - docs|CI: Use HTTPS URLs instead of HTTP at various places\n    - Address compiler warnings\n    - Address clang-tidy warnings\n    - Version info bumped from 9:10:8 (libexpat*.so.1.8.10)\n      to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/\n      for what these numbers do\n",null,[],[],[],[14,16,18,20,22,24,26,28,30,32],{"_key":15},"CVE-2013-0340",{"_key":17},"CVE-2019-15903",{"_key":19},"CVE-2023-52425",{"_key":21},"CVE-2023-52426",{"_key":23},"CVE-2024-28757",{"_key":25},"CVE-2024-45490",{"_key":27},"CVE-2024-45491",{"_key":29},"CVE-2024-45492",{"_key":31},"CVE-2024-50602",{"_key":33},"CVE-2024-8176",[],[],[37,38,39,40,41,42,43,44,45,46],{"_key":15},{"_key":17},{"_key":19},{"_key":21},{"_key":23},{"_key":25},{"_key":27},{"_key":29},{"_key":31},{"_key":33},"2025-04-29T11:07:45Z","2026-03-23T04:50:04.767104Z",{"cisa_kev":50,"cisa_ransomware":50,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[52,58,63,67,71,75,79,83,87,91,95,100,104,108,112,116,120,124,128,132],{"url":53,"sources":54,"tags":56},"https://www.suse.com/support/update/announcement/2025/suse-su-202520207-1/",[55],"osv_suse",[57],"Advisory",{"url":59,"sources":60,"tags":61},"https://bugzilla.suse.com/1219559",[55],[62],"REPORT",{"url":64,"sources":65,"tags":66},"https://bugzilla.suse.com/1219561",[55],[62],{"url":68,"sources":69,"tags":70},"https://bugzilla.suse.com/1221289",[55],[62],{"url":72,"sources":73,"tags":74},"https://bugzilla.suse.com/1229930",[55],[62],{"url":76,"sources":77,"tags":78},"https://bugzilla.suse.com/1229931",[55],[62],{"url":80,"sources":81,"tags":82},"https://bugzilla.suse.com/1229932",[55],[62],{"url":84,"sources":85,"tags":86},"https://bugzilla.suse.com/1232579",[55],[62],{"url":88,"sources":89,"tags":90},"https://bugzilla.suse.com/1232601",[55],[62],{"url":92,"sources":93,"tags":94},"https://bugzilla.suse.com/1239618",[55],[62],{"url":96,"sources":97,"tags":98},"https://www.suse.com/security/cve/CVE-2013-0340",[55],[99],"WEB",{"url":101,"sources":102,"tags":103},"https://www.suse.com/security/cve/CVE-2019-15903",[55],[99],{"url":105,"sources":106,"tags":107},"https://www.suse.com/security/cve/CVE-2023-52425",[55],[99],{"url":109,"sources":110,"tags":111},"https://www.suse.com/security/cve/CVE-2023-52426",[55],[99],{"url":113,"sources":114,"tags":115},"https://www.suse.com/security/cve/CVE-2024-28757",[55],[99],{"url":117,"sources":118,"tags":119},"https://www.suse.com/security/cve/CVE-2024-45490",[55],[99],{"url":121,"sources":122,"tags":123},"https://www.suse.com/security/cve/CVE-2024-45491",[55],[99],{"url":125,"sources":126,"tags":127},"https://www.suse.com/security/cve/CVE-2024-45492",[55],[99],{"url":129,"sources":130,"tags":131},"https://www.suse.com/security/cve/CVE-2024-50602",[55],[99],{"url":133,"sources":134,"tags":135},"https://www.suse.com/security/cve/CVE-2024-8176",[55],[99],[],[],[],[140],{"ecosystem":141,"name":142,"vendor":143,"product":144,"cpe_part":9,"purl_type":145,"purl_namespace":143,"purl_name":144,"source":9,"versions":146},"SUSE Linux Enterprise","expat","suse","expat&distro=SUSE Linux Micro 6.0","rpm",[147],{"version":148,"is_range":149,"range_type":150,"version_start":9,"version_start_type":9,"version_end":151,"version_end_type":152,"fixed_in":9},"lt2_7_1_1_1",true,"ecosystem","2.7.1-1.1","excluding"]