Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3224 expat security update 2 July 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: expat Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-25314 CVE-2022-25313 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:5244 Comment: CVSS (Max): 7.5 CVE-2022-25314 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: expat security update Advisory ID: RHSA-2022:5244-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:5244 Issue date: 2022-06-28 CVE Names: CVE-2022-25313 CVE-2022-25314 ===================================================================== 1. Summary: An update for expat is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: Expat is a C library for parsing XML documents. Security Fix(es): * expat: stack exhaustion in doctype parsing (CVE-2022-25313) * expat: integer overflow in copyString() (CVE-2022-25314) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, applications using the Expat library must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2056350 - CVE-2022-25313 expat: stack exhaustion in doctype parsing 2056354 - CVE-2022-25314 expat: integer overflow in copyString() 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): aarch64: expat-debuginfo-2.2.10-12.el9_0.2.aarch64.rpm expat-debugsource-2.2.10-12.el9_0.2.aarch64.rpm expat-devel-2.2.10-12.el9_0.2.aarch64.rpm ppc64le: expat-debuginfo-2.2.10-12.el9_0.2.ppc64le.rpm expat-debugsource-2.2.10-12.el9_0.2.ppc64le.rpm expat-devel-2.2.10-12.el9_0.2.ppc64le.rpm s390x: expat-debuginfo-2.2.10-12.el9_0.2.s390x.rpm expat-debugsource-2.2.10-12.el9_0.2.s390x.rpm expat-devel-2.2.10-12.el9_0.2.s390x.rpm x86_64: expat-debuginfo-2.2.10-12.el9_0.2.i686.rpm expat-debuginfo-2.2.10-12.el9_0.2.x86_64.rpm expat-debugsource-2.2.10-12.el9_0.2.i686.rpm expat-debugsource-2.2.10-12.el9_0.2.x86_64.rpm expat-devel-2.2.10-12.el9_0.2.i686.rpm expat-devel-2.2.10-12.el9_0.2.x86_64.rpm Red Hat Enterprise Linux BaseOS (v. 9): Source: expat-2.2.10-12.el9_0.2.src.rpm aarch64: expat-2.2.10-12.el9_0.2.aarch64.rpm expat-debuginfo-2.2.10-12.el9_0.2.aarch64.rpm expat-debugsource-2.2.10-12.el9_0.2.aarch64.rpm ppc64le: expat-2.2.10-12.el9_0.2.ppc64le.rpm expat-debuginfo-2.2.10-12.el9_0.2.ppc64le.rpm expat-debugsource-2.2.10-12.el9_0.2.ppc64le.rpm s390x: expat-2.2.10-12.el9_0.2.s390x.rpm expat-debuginfo-2.2.10-12.el9_0.2.s390x.rpm expat-debugsource-2.2.10-12.el9_0.2.s390x.rpm x86_64: expat-2.2.10-12.el9_0.2.i686.rpm expat-2.2.10-12.el9_0.2.x86_64.rpm expat-debuginfo-2.2.10-12.el9_0.2.i686.rpm expat-debuginfo-2.2.10-12.el9_0.2.x86_64.rpm expat-debugsource-2.2.10-12.el9_0.2.i686.rpm expat-debugsource-2.2.10-12.el9_0.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYr6jyNzjgjWX9erEAQgJLRAAoVmyqE4rn7jkdGdGSAYul2o8FPyxaXqR s+y3gIgEQCU6smafoEjBMGwL2AmHxZdsVVc+IxI8SsVK6MsPTGvaHLQaGHrKiDpP pfds/XtRpf6VxF5CpxBF6VV88oruAwbm0GzWIP9kEa6FoXXUlQ9JkUJQYvKglWby wpzmjijQXzBvCVGl5q9JZ0iJY3ksQedRNxnVvi6CoPLbUoUXTdj87uyyPD/CHevd DzzNacxrminV287qhJb8n8mej2gYpIwsYk6HEMSig/TiMqUWNmV76WPKedhaqp/V 4SoQeL2CSX0Hs2PwYgRWXQmo96yLd2HHvOqySEhZFuE+dgX+yqiBHPuR2WoXfp4L AkUBJsXb3LPYnDN838SJSwKP2t6KKu9ONTr2j8c46XEXtQpXyiIEPlwa0kgvMi/t 75NMHEOc4A6TDTE5sLyCIL34RLz6mHFQBPPRefHEZJpzZpxf8ZcXgfdb4nFLhHWq vp2voHxaL+LGZKMy6ZqRSPTKEQKIoeqqGHJjR4+0xdC2uyiMi+kEBvuqLtxghpoN 9aRItq4sH2yCe4e1Axl7vzEnOHY1JKdFNTiMNTFHMg8Tu2JERL5KSHUxGi1XaXcy f2XKCezVVoVLu8UoTXC7/jiUjMB3YTDYeGoxiiO5XMUifZNVUkubDjtFqYDJ992L SjHsc4yc1oU= =f4B9 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYr90RskNZI30y1K9AQj0WRAAlfgpWB5WkiqXd6Fk3jEKFThxsKzq0tcB fMbdgzvip6lJPe++k+JOtPcBIZi+omblgj8vMKrvaBqDZNeBuzHTf36GCP7qS4a5 xcKJBD7H59JKumVcDORBf5Zyqs4gGz5CzvSBLhStPyuQYgKYGWG7PdO7q3nPwukp PJ2A/lNibvPfX2gXM2MHFh/ZHFU9OgoBA/tLjwwTLnkRG06Eu+K2BmtyK+6zFYoL n02ZenfTdgTOOXICZm4j7QOwWbiZ/ak9jsdH8S3XhDEsMZ6VQ3z/5R5DMPoczQfE J2308ejH6Anhe3zN1JW0lVK3NVSqQavoEcxNz1HQy3Gk6TSWvXAhnSaxIt+XJ9NV J5wl+ekhwm+m+TQvNBMlXMOHL2QPHcsyFKyF1DYYdyiAEOI9NWWXNUDQ6gDr2d6H lHQXxe642teLtg7quJabja12h4APZOA5uk+G6HNYoWITefG3TA2+ovMR0gxI0khr 7sCMyhVv1kZMxyE45OpFrDOVq1LDAc+l3AQdY7tL+640x1PNV7ApGJ78EJAQVM31 kp3AwPYzhCxLW1wGZY+BF/NoPUJyD1w1MwqIwE95wFfNOkAq2db+K9Yi/0LJIzo4 wqXfIxod5O2uFoG1oyadwC5Suxj0WqrxfpmQAVsN42VuDgzsluXywCRuCZmTgCCD B/zCl93itx4= =JLF1 -----END PGP SIGNATURE-----