SUSE-SU-2025:03239-1: important: Security update for expat
SLE-UPDATES
null at suse.de
Tue Sep 16 20:30:09 UTC 2025
# Security update for expat
Announcement ID: SUSE-SU-2025:03239-1
Release Date: 2025-09-16T17:04:05Z
Rating: important
References:
* bsc#1239618
* jsc#PED-12507
Cross-References:
* CVE-2024-8176
CVSS scores:
* CVE-2024-8176 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-8176 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-8176 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
* Basesystem Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
An update that solves one vulnerability and contains one feature can now be
installed.
## Description:
This update for expat fixes the following issues:
expat was updated to version 2.7.1:
* Bug fixes:
* Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are:
- XML_GetCurrentByteCount
- XML_GetCurrentByteIndex
- XML_GetCurrentColumnNumber
- XML_GetCurrentLineNumber
- XML_GetInputContext
* Other changes:
* Fix printf format specifiers for 32bit Emscripten
* docs: Promote OpenSSF Best Practices self-certification
* tests/benchmark: Resolve mistaken double close
* Address compiler warnings
* Version info bumped from 11:1:10 (libexpat _.so.1.10.1) to 11:2:10 (libexpat_.so.1.10.2); see https://verbump.de/ for what these numbers do
Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507)
* Security fixes:
* CVE-2024-8176 -- Fix crash from chaining a large number of entities caused
by stack overflow by resolving use of recursion, for all three uses of
entities: - general entities in character data ("<e>&g1;</e>") - general
entities in attribute values ("<e k1='&g1;'/>") - parameter entities
("%p1;")
Known impact is (reliable and easy) denial of service:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5,
Temporal Score: 7.2) Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
* Other changes:
* docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was
introduced with 2.6.4
* docs: Document need for C++11 compiler for use from C++
* Address Cppcheck warnings
* Mass-migrate links from http:// to https://
* Document changes since the previous release
* Version info bumped from 11:0:10 (libexpat _.so.1.10.0) to 11:1:10
(libexpat_.so.1.10.1); see https://verbump.de/ for what these numbers do
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2025-3239=1
## Package List:
* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* expat-2.7.1-150700.3.3.1
* expat-debuginfo-2.7.1-150700.3.3.1
* libexpat-devel-2.7.1-150700.3.3.1
* libexpat1-2.7.1-150700.3.3.1
* libexpat1-debuginfo-2.7.1-150700.3.3.1
* expat-debugsource-2.7.1-150700.3.3.1
* Basesystem Module 15-SP7 (x86_64)
* libexpat1-32bit-2.7.1-150700.3.3.1
* libexpat1-32bit-debuginfo-2.7.1-150700.3.3.1
* expat-32bit-debuginfo-2.7.1-150700.3.3.1
## References:
* https://www.suse.com/security/cve/CVE-2024-8176.html
* https://bugzilla.suse.com/show_bug.cgi?id=1239618
* https://jira.suse.com/browse/PED-12507
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250916/20f7cb70/attachment.htm>
More information about the sle-updates
mailing list