Security update for expat SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:03239-1 Final 1 1 2025-09-16T17:04:04Z current 2025-09-16T17:04:04Z 2025-09-16T17:04:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for expat This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('<e>&g1;</e>') - general entities in attribute values ('<e k1='&g1;'/>') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/bci-base-fips:latest-2025-3239,Container bci/bci-init:latest-2025-3239,Container bci/bci-sle15-kernel-module-devel:latest-2025-3239,Container bci/gcc:latest-2025-3239,Container bci/golang:1.24-openssl-2025-3239,Container bci/golang:latest-2025-3239,Container bci/kiwi:latest-2025-3239,Container bci/openjdk-devel:17-2025-3239,Container bci/openjdk-devel:latest-2025-3239,Container bci/openjdk:17-2025-3239,Container bci/openjdk:latest-2025-3239,Container bci/php-apache:latest-2025-3239,Container bci/ruby:2-2025-3239,Container bci/ruby:latest-2025-3239,Container suse/git:latest-2025-3239,Container suse/kea:latest-2025-3239,Container suse/kiosk/firefox-esr:latest-2025-3239,Container suse/kiosk/pulseaudio:latest-2025-3239,Container suse/kiosk/xorg-client:latest-2025-3239,Container suse/kiosk/xorg:latest-2025-3239,Container suse/mariadb:latest-2025-3239,Container suse/nginx:latest-2025-3239,Container suse/registry:latest-2025-3239,Container suse/samba-toolbox:latest-2025-3239,SUSE-2025-3239,SUSE-SLE-Module-Basesystem-15-SP7-2025-3239 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202503239-1/ Link for SUSE-SU-2025:03239-1 https://lists.suse.com/pipermail/sle-updates/2025-September/041717.html E-Mail link for SUSE-SU-2025:03239-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1239618 SUSE Bug 1239618 https://www.suse.com/security/cve/CVE-2024-8176/ SUSE CVE CVE-2024-8176 page Container bci/bci-base-fips:latest Container bci/bci-init:latest Container bci/bci-sle15-kernel-module-devel:latest Container bci/gcc:latest Container bci/golang:1.24-openssl Container bci/golang:latest Container bci/kiwi:latest Container bci/openjdk-devel:17 Container bci/openjdk-devel:latest Container bci/openjdk:17 Container bci/openjdk:latest Container bci/php-apache:latest Container bci/ruby:2 Container bci/ruby:latest Container suse/git:latest Container suse/kea:latest Container suse/kiosk/firefox-esr:latest Container suse/kiosk/pulseaudio:latest Container suse/kiosk/xorg-client:latest Container suse/kiosk/xorg:latest Container suse/mariadb:latest Container suse/nginx:latest Container suse/registry:latest Container suse/samba-toolbox:latest SUSE Linux Enterprise Module for Basesystem 15 SP7 libexpat1-2.7.1-150700.3.3.1 expat-2.7.1-150700.3.3.1 libexpat-devel-2.7.1-150700.3.3.1 libexpat-devel-32bit-2.7.1-150700.3.3.1 libexpat-devel-64bit-2.7.1-150700.3.3.1 libexpat1-32bit-2.7.1-150700.3.3.1 libexpat1-64bit-2.7.1-150700.3.3.1 libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/bci-base-fips:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/bci-init:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/bci-sle15-kernel-module-devel:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/gcc:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/golang:1.24-openssl libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/golang:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/kiwi:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/openjdk-devel:17 libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/openjdk-devel:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/openjdk:17 libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/openjdk:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/php-apache:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/ruby:2 libexpat1-2.7.1-150700.3.3.1 as a component of Container bci/ruby:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container suse/git:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container suse/kea:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container suse/kiosk/firefox-esr:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container suse/kiosk/pulseaudio:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container suse/kiosk/xorg-client:latest expat-2.7.1-150700.3.3.1 as a component of Container suse/kiosk/xorg:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container suse/kiosk/xorg:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container suse/mariadb:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container suse/nginx:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container suse/registry:latest libexpat1-2.7.1-150700.3.3.1 as a component of Container suse/samba-toolbox:latest expat-2.7.1-150700.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libexpat-devel-2.7.1-150700.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libexpat1-2.7.1-150700.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libexpat1-32bit-2.7.1-150700.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. CVE-2024-8176 Container bci/bci-base-fips:latest:libexpat1-2.7.1-150700.3.3.1 Container bci/bci-init:latest:libexpat1-2.7.1-150700.3.3.1 Container bci/bci-sle15-kernel-module-devel:latest:libexpat1-2.7.1-150700.3.3.1 Container bci/gcc:latest:libexpat1-2.7.1-150700.3.3.1 Container bci/golang:1.24-openssl:libexpat1-2.7.1-150700.3.3.1 Container bci/golang:latest:libexpat1-2.7.1-150700.3.3.1 Container bci/kiwi:latest:libexpat1-2.7.1-150700.3.3.1 Container bci/openjdk-devel:17:libexpat1-2.7.1-150700.3.3.1 Container bci/openjdk-devel:latest:libexpat1-2.7.1-150700.3.3.1 Container bci/openjdk:17:libexpat1-2.7.1-150700.3.3.1 Container bci/openjdk:latest:libexpat1-2.7.1-150700.3.3.1 Container bci/php-apache:latest:libexpat1-2.7.1-150700.3.3.1 Container bci/ruby:2:libexpat1-2.7.1-150700.3.3.1 Container bci/ruby:latest:libexpat1-2.7.1-150700.3.3.1 Container suse/git:latest:libexpat1-2.7.1-150700.3.3.1 Container suse/kea:latest:libexpat1-2.7.1-150700.3.3.1 Container suse/kiosk/firefox-esr:latest:libexpat1-2.7.1-150700.3.3.1 Container suse/kiosk/pulseaudio:latest:libexpat1-2.7.1-150700.3.3.1 Container suse/kiosk/xorg-client:latest:libexpat1-2.7.1-150700.3.3.1 Container suse/kiosk/xorg:latest:expat-2.7.1-150700.3.3.1 Container suse/kiosk/xorg:latest:libexpat1-2.7.1-150700.3.3.1 Container suse/mariadb:latest:libexpat1-2.7.1-150700.3.3.1 Container suse/nginx:latest:libexpat1-2.7.1-150700.3.3.1 Container suse/registry:latest:libexpat1-2.7.1-150700.3.3.1 Container suse/samba-toolbox:latest:libexpat1-2.7.1-150700.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:expat-2.7.1-150700.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libexpat-devel-2.7.1-150700.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libexpat1-2.7.1-150700.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libexpat1-32bit-2.7.1-150700.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503239-1/ https://www.suse.com/security/cve/CVE-2024-8176.html CVE-2024-8176 https://bugzilla.suse.com/1239618 SUSE Bug 1239618