Cart
[Home] [By Thread] [By Date] [Recent Entries]
Hello everyone! (A *longer* blog-post version of this e-mail is available online at https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/ .) Expat 2.4.0 [1] and follow-up release 2.4.1 [2] have both been released earlier today. Release 2.4.0 fixes long known security issue CVE-2013-0340 [3] by adding protection against so-called Billion Laughs Attacks [4], a form of denial of service against applications accepting XML input, in all known variations, including recent flavor Parameter Laughs [6]. [..] Besides this security fix, there is the usual bunch of fixes and improvements in tooling, documentation, and the two build systems. For more details, please check out the change log [6]. If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.1. Thank you! Best Sebastian Pipping [1] https://github.com/libexpat/libexpat/releases/tag/R_2_4_0 [2] https://github.com/libexpat/libexpat/releases/tag/R_2_4_1 [3] https://marc.info/?l=oss-security&m=136580776324285&w=2 [4] https://en.wikipedia.org/wiki/Billion_laughs_attack [5] https://blog.hartwork.org/posts/cve-2021-3541-parameter-laughs-fixed-in-libxml2-2-9-11/ [6] https://github.com/libexpat/libexpat/blob/R_2_4_1/expat/Changes [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
