From ${URL} : It was found that when calling XML_Parse ahead of rand(), it causes the pseudo random generator to generate non-random predictable numbers. Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1197087 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
In Git now: https://github.com/gentoo/gentoo/commit/04f12ff7fde845e4fc896786719fbd6a2e727666 Stabilize?
@arches, please stabilize: =dev-libs/expat-2.1.1-r2
Stable on alpha.
Stable for PPC64.
Stable for HPPA.
arm stable
CVE-2016-5300 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5300): The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.
amd64 stable
x86 stable. Maintainer(s), please cleanup.
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201701-21 at https://security.gentoo.org/glsa/201701-21 by GLSA coordinator Aaron Bauman (b-man).