Discussion:
[Audacity-devel] Expat 2.2.1 security fixes
Gale Andrews
2017-06-21 17:18:01 UTC
Permalink
An individual writing to feedback@ has pointed out important
security fixes in the new expat release 2.2.1 Sat June 17 2017

Security fixes:
* CVE-2017-9233 -- External entity infinite loop DoS
Details: https://libexpat.github.io/doc/cve-2017-9233/

* [MOX-002] CVE-2016-9063 -- Detect integer overflow
(Fixed version of existing downstream patches!)

Full changelog:
https://github.com/libexpat/libexpat/blob/master/expat/Changes .

Would I be right in guessing functional changes since 2.1.0 would need
a lot of testing?



Gale
Arturo 'Buanzo' Busleiman
2017-06-21 17:42:33 UTC
Permalink
There have been a number of security issues in the expat library, some
including RCE.including version 2.1.0:
https://www.cvedetails.com/vulnerability-list/vendor_id-12037/product_id-22545/version_id-158578/Libexpat-Expat-2.1.0.html

I would suggest we attempt to implement newer libexpat and test, and avoid
guessing.
Post by Gale Andrews
security fixes in the new expat release 2.2.1 Sat June 17 2017
* CVE-2017-9233 -- External entity infinite loop DoS
Details: https://libexpat.github.io/doc/cve-2017-9233/
* [MOX-002] CVE-2016-9063 -- Detect integer overflow
(Fixed version of existing downstream patches!)
https://github.com/libexpat/libexpat/blob/master/expat/Changes .
Would I be right in guessing functional changes since 2.1.0 would need
a lot of testing?
Gale
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
audacity-devel mailing list
https://lists.sourceforge.net/lists/listinfo/audacity-devel
Loading...