An update for expat is now available for openEuler-20.03-LTS-SP1
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2021-1261
Final
1.0
1.0
2021-07-10
Initial
2021-07-10
2021-07-10
openEuler SA Tool V1.0
2021-07-10
expat security update
An update for expat is now available for openEuler-20.03-LTS-SP1.
expat is a stream-oriented XML parser library written in C. expat excels with files too large to fit RAM, and where performance and flexibility are crucial.
Security Fix(es):
expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.(CVE-2013-0340)
An update for expat is now available for openEuler-20.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Medium
expat
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1261
https://openeuler.org/en/security/cve/detail.html?id=CVE-2013-0340
https://nvd.nist.gov/vuln/detail/CVE-2013-0340
openEuler-20.03-LTS-SP1
expat-debugsource-2.2.9-3.oe1.aarch64.rpm
expat-2.2.9-3.oe1.aarch64.rpm
expat-devel-2.2.9-3.oe1.aarch64.rpm
expat-debuginfo-2.2.9-3.oe1.aarch64.rpm
expat-help-2.2.9-3.oe1.noarch.rpm
expat-2.2.9-3.oe1.src.rpm
expat-debuginfo-2.2.9-3.oe1.x86_64.rpm
expat-debugsource-2.2.9-3.oe1.x86_64.rpm
expat-2.2.9-3.oe1.x86_64.rpm
expat-devel-2.2.9-3.oe1.x86_64.rpm
expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
2021-07-10
CVE-2013-0340
openEuler-20.03-LTS-SP1
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
expat security update
2021-07-10
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1261