expat-2.1.0-12.el7

エラータID: AXSA:2020-569:02

Release date: 
Monday, October 5, 2020 - 10:50
Subject: 
expat-2.1.0-12.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

Expat is a C library for parsing XML documents.

Security Fix(es):

* expat: large number of colons in input makes parser consume high amount of resources, leading to DoS (CVE-2018-20843)

* expat: heap-based buffer over-read via crafted XML input (CVE-2019-15903)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 7.9 Release Notes linked from the References section.

CVE-2018-20843
In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).
CVE-2019-15903
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

Solution: 

Update packages.

CVEs: 
CVE-2018-20843
In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).
CVE-2019-15903
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
Additional Info: 

N/A

Download: 

SRPMS
  1. expat-2.1.0-12.el7.src.rpm
    MD5: 58d0cb6575e4e9b727a63f61591d333b
    SHA-256: 6c61e111573bcada06afa291360c9b5516de58639cb58e58b70ebb6354100991
    Size: 568.58 kB

Asianux Server 7 for x86_64
  1. expat-2.1.0-12.el7.x86_64.rpm
    MD5: fc37bcdd09ab7d18e0ed382348f67ab9
    SHA-256: 45483f03450583f1e16ce3901612dafc12a6932a538ae7eb95e7197aa397db95
    Size: 79.79 kB
  2. expat-devel-2.1.0-12.el7.x86_64.rpm
    MD5: f5ffb6259f62f9892d9b3969113cd714
    SHA-256: 1abdf22fa6a39b1b413d864db10fb0973d3e57b6b21b8abcf3ca773cdab13ffa
    Size: 55.86 kB
  3. expat-2.1.0-12.el7.i686.rpm
    MD5: c45f9e01420121178c63b2e4936db817
    SHA-256: af72e33e7a9387e1d2a1d832a46ae3fd0e5fd11cacb3a69cc6b852d699545051
    Size: 79.70 kB
  4. expat-devel-2.1.0-12.el7.i686.rpm
    MD5: 75eca9daef847101736269c2d6886097
    SHA-256: 89bd02eb7d9f050ee595dae703ed0c6312dd9177cf5adb966f6ec7440cd156b9
    Size: 55.89 kB