Summary: | <dev-libs/expat-2.4.0: Vulnerable to "Billion Laughs Attack" (CVE-2013-0340) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sebastian Pipping <sping> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | freedesktop-bugs, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/libexpat/libexpat/blob/R_2_4_1/expat/Changes#L19 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=458742 | ||
Whiteboard: | A3 [glsa+] | ||
Package list: |
dev-libs/expat-2.4.1
|
Runtime testing required: | --- |
Description
Sebastian Pipping
2021-05-23 19:09:02 UTC
Thanks sping. Let us know when it's ready to stable. (aside: register your nick on Libera now we're migrating there? Maybe even hang around afterwards! ;)) Unable to check for sanity:
> no match for package: dev-libs/expat-2.4.0
All sanity-check issues have been resolved (In reply to Sam James from comment #1) > Thanks sping. Let us know when it's ready to stable. I'm happy with any date. What would be your preferences? > (aside: register your nick on Libera now we're migrating there? Maybe even > hang around afterwards! ;)) Thanks for the nudge about it, I just registered. We usually go faster for security bugs but try to balance the risk of the changes since the last version against the severity of any bugs. Whenever you’re happy (could be now, or a week), we’ll add CC-ARCHES. (In reply to Sam James from comment #5) > Whenever you’re happy (could be now, or a week), we’ll add CC-ARCHES. Alright, let's go! :) arm64 done arm done x86 done amd64 done ppc done ppc64 done sparc stable hppa stable Please cleanup, thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90eadb7bb21b4941c9d6297c0725edef87e49837 commit 90eadb7bb21b4941c9d6297c0725edef87e49837 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2021-05-28 21:21:38 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2021-05-28 21:22:54 +0000 dev-libs/expat: Drop vulnerable Bug: https://bugs.gentoo.org/791703 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-3.0.19, Repoman-3.0.3 dev-libs/expat/Manifest | 2 - dev-libs/expat/expat-2.2.10.ebuild | 99 -------------------------------------- dev-libs/expat/expat-2.3.0.ebuild | 99 -------------------------------------- 3 files changed, 200 deletions(-) Thanks! Unable to check for sanity:
> no match for package: dev-libs/expat-2.4.1
GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=03f0a34b2dd087d0388307c6a72febd44202bb20 commit 03f0a34b2dd087d0388307c6a72febd44202bb20 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:24:39 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:48:02 +0000 [ GLSA 202209-24 ] Expat: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/791703 Bug: https://bugs.gentoo.org/830422 Bug: https://bugs.gentoo.org/831918 Bug: https://bugs.gentoo.org/833431 Bug: https://bugs.gentoo.org/870097 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-24.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) GLSA released, all done! |