expat-2.4.6-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11866 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z expat-2.4.6-1.1 on GA media These are all security issues fixed in the expat-2.4.6-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11866 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11866 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-25235/ SUSE CVE CVE-2022-25235 page https://www.suse.com/security/cve/CVE-2022-25236/ SUSE CVE CVE-2022-25236 page https://www.suse.com/security/cve/CVE-2022-25313/ SUSE CVE CVE-2022-25313 page https://www.suse.com/security/cve/CVE-2022-25314/ SUSE CVE CVE-2022-25314 page https://www.suse.com/security/cve/CVE-2022-25315/ SUSE CVE CVE-2022-25315 page openSUSE Tumbleweed expat-2.4.6-1.1 libexpat-devel-2.4.6-1.1 libexpat-devel-32bit-2.4.6-1.1 libexpat1-2.4.6-1.1 libexpat1-32bit-2.4.6-1.1 expat-2.4.6-1.1 as a component of openSUSE Tumbleweed libexpat-devel-2.4.6-1.1 as a component of openSUSE Tumbleweed libexpat-devel-32bit-2.4.6-1.1 as a component of openSUSE Tumbleweed libexpat1-2.4.6-1.1 as a component of openSUSE Tumbleweed libexpat1-32bit-2.4.6-1.1 as a component of openSUSE Tumbleweed xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. CVE-2022-25235 openSUSE Tumbleweed:expat-2.4.6-1.1 openSUSE Tumbleweed:libexpat-devel-2.4.6-1.1 openSUSE Tumbleweed:libexpat-devel-32bit-2.4.6-1.1 openSUSE Tumbleweed:libexpat1-2.4.6-1.1 openSUSE Tumbleweed:libexpat1-32bit-2.4.6-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-25235.html CVE-2022-25235 https://bugzilla.suse.com/1196026 SUSE Bug 1196026 https://bugzilla.suse.com/1197217 SUSE Bug 1197217 https://bugzilla.suse.com/1198587 SUSE Bug 1198587 https://bugzilla.suse.com/1200038 SUSE Bug 1200038 https://bugzilla.suse.com/1200198 SUSE Bug 1200198 https://bugzilla.suse.com/1201735 SUSE Bug 1201735 xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. CVE-2022-25236 openSUSE Tumbleweed:expat-2.4.6-1.1 openSUSE Tumbleweed:libexpat-devel-2.4.6-1.1 openSUSE Tumbleweed:libexpat-devel-32bit-2.4.6-1.1 openSUSE Tumbleweed:libexpat1-2.4.6-1.1 openSUSE Tumbleweed:libexpat1-32bit-2.4.6-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-25236.html CVE-2022-25236 https://bugzilla.suse.com/1196025 SUSE Bug 1196025 https://bugzilla.suse.com/1196784 SUSE Bug 1196784 https://bugzilla.suse.com/1197217 SUSE Bug 1197217 https://bugzilla.suse.com/1200038 SUSE Bug 1200038 https://bugzilla.suse.com/1201735 SUSE Bug 1201735 In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. CVE-2022-25313 openSUSE Tumbleweed:expat-2.4.6-1.1 openSUSE Tumbleweed:libexpat-devel-2.4.6-1.1 openSUSE Tumbleweed:libexpat-devel-32bit-2.4.6-1.1 openSUSE Tumbleweed:libexpat1-2.4.6-1.1 openSUSE Tumbleweed:libexpat1-32bit-2.4.6-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-25313.html CVE-2022-25313 https://bugzilla.suse.com/1196168 SUSE Bug 1196168 In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. CVE-2022-25314 openSUSE Tumbleweed:expat-2.4.6-1.1 openSUSE Tumbleweed:libexpat-devel-2.4.6-1.1 openSUSE Tumbleweed:libexpat-devel-32bit-2.4.6-1.1 openSUSE Tumbleweed:libexpat1-2.4.6-1.1 openSUSE Tumbleweed:libexpat1-32bit-2.4.6-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-25314.html CVE-2022-25314 https://bugzilla.suse.com/1196169 SUSE Bug 1196169 https://bugzilla.suse.com/1197217 SUSE Bug 1197217 https://bugzilla.suse.com/1198587 SUSE Bug 1198587 https://bugzilla.suse.com/1199096 SUSE Bug 1199096 https://bugzilla.suse.com/1200038 SUSE Bug 1200038 https://bugzilla.suse.com/1200198 SUSE Bug 1200198 In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. CVE-2022-25315 openSUSE Tumbleweed:expat-2.4.6-1.1 openSUSE Tumbleweed:libexpat-devel-2.4.6-1.1 openSUSE Tumbleweed:libexpat-devel-32bit-2.4.6-1.1 openSUSE Tumbleweed:libexpat1-2.4.6-1.1 openSUSE Tumbleweed:libexpat1-32bit-2.4.6-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-25315.html CVE-2022-25315 https://bugzilla.suse.com/1196171 SUSE Bug 1196171 https://bugzilla.suse.com/1197217 SUSE Bug 1197217 https://bugzilla.suse.com/1198587 SUSE Bug 1198587 https://bugzilla.suse.com/1200038 SUSE Bug 1200038 https://bugzilla.suse.com/1200198 SUSE Bug 1200198 https://bugzilla.suse.com/1201735 SUSE Bug 1201735