Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 08 Mar 2012 22:01:38 -0700
From: Kurt Seifried <>
Subject: expat 2.1.0beta fixes 5 Denial of Service attacks, CVE's/details

So expat is releasing an update (2.0.1 -> 2.1.0) which is the first one
in a while (which is a testament to the stability and reliability of
expat). If you want to help Karl Waclawek (, the
author of expat out (and by extension pretty much everyone using Open
Source that parses xml using expat which is a lot of stuff), please test
the 2.1.0beta and send him feedback (works, doesn't work, etc.). Two of
the issues were already assigned CVE's back in 2009, the rest got 2012
because that where we are now.

Changes in Expat 2.1.0beta:

#2895533: CVE-2012-1147 - Resource leak in readfilemap.c.

#1990430: CVE-2009-3720 - Parser crash with specially formatted UTF-8

#2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().

#2958794: CVE-2012-1148 - Memory leak in poolGrow.

#3496608: CVE-2012-0876 - Hash DOS attack.

Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.