Security update for expat SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:1186-1 Final 1 1 2025-04-09T14:28:12Z current 2025-04-09T14:28:12Z 2025-04-09T14:28:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for expat This update for expat fixes the following issues: - CVE-2024-8176: Fixed denial of service from chaining a large number of entities caused by stack overflow by resolving use of recursion (bsc#1239618) Other fixes: - version update to 2.7.1 (jsc#PED-12500) Bug fixes: #980 #989 Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext Other changes: #976 #977 Autotools: Integrate files 'fuzz/xml_lpm_fuzzer.{cpp,proto}' with Automake that were missing from 2.7.0 release tarballs #983 #984 Fix printf format specifiers for 32bit Emscripten #992 docs: Promote OpenSSF Best Practices self-certification #978 tests/benchmark: Resolve mistaken double close #986 Address compiler warnings #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Infrastructure: #982 CI: Start running Perl XML::Parser integration tests #987 CI: Enforce Clang Static Analyzer clean code #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy #981 CI: Cover compilation with musl #983 #984 CI: Cover compilation with 32bit Emscripten #976 #977 CI: Protect against fuzzer files missing from future release archives - version update to 2.7.0 #935 #937 Autotools: Make generated CMake files look for libexpat.@SO_MAJOR@.dylib on macOS #925 Autotools: Sync CMake templates with CMake 3.29 #945 #962 #966 CMake: Drop support for CMake <3.13 #942 CMake: Small fuzzing related improvements #921 docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 #941 docs: Document need for C++11 compiler for use from C++ #959 tests/benchmark: Fix a (harmless) TOCTTOU #944 Windows: Fix installer target location of file xmlwf.xml for CMake #953 Windows: Address warning -Wunknown-warning-option about -Wno-pedantic-ms-format from LLVM MinGW #971 Address Cppcheck warnings #969 #970 Mass-migrate links from http:// to https:// #947 #958 .. #974 #975 Document changes since the previous release #974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do - Version info bumped from 9:3:8 to 9:4:8; see https://verbump.de/ for what these numbers do The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sle-micro-rancher/5.2:latest-2025-1186,Container suse/sle-micro/5.1/toolbox:latest-2025-1186,Container suse/sle-micro/5.2/toolbox:latest-2025-1186,SUSE-2025-1186,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-1186,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-1186,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-1186,SUSE-SUSE-MicroOS-5.1-2025-1186,SUSE-SUSE-MicroOS-5.2-2025-1186,SUSE-Storage-7.1-2025-1186 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20251186-1/ Link for SUSE-SU-2025:1186-1 https://lists.suse.com/pipermail/sle-updates/2025-April/038951.html E-Mail link for SUSE-SU-2025:1186-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1239618 SUSE Bug 1239618 https://www.suse.com/security/cve/CVE-2024-8176/ SUSE CVE CVE-2024-8176 page Container suse/sle-micro-rancher/5.2:latest Container suse/sle-micro/5.1/toolbox:latest Container suse/sle-micro/5.2/toolbox:latest SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP3 libexpat1-2.7.1-150000.3.36.1 expat-2.7.1-150000.3.36.1 libexpat-devel-2.7.1-150000.3.36.1 libexpat-devel-32bit-2.7.1-150000.3.36.1 libexpat-devel-64bit-2.7.1-150000.3.36.1 libexpat1-32bit-2.7.1-150000.3.36.1 libexpat1-64bit-2.7.1-150000.3.36.1 libexpat1-2.7.1-150000.3.36.1 as a component of Container suse/sle-micro-rancher/5.2:latest libexpat1-2.7.1-150000.3.36.1 as a component of Container suse/sle-micro/5.1/toolbox:latest libexpat1-2.7.1-150000.3.36.1 as a component of Container suse/sle-micro/5.2/toolbox:latest expat-2.7.1-150000.3.36.1 as a component of SUSE Enterprise Storage 7.1 libexpat-devel-2.7.1-150000.3.36.1 as a component of SUSE Enterprise Storage 7.1 libexpat1-2.7.1-150000.3.36.1 as a component of SUSE Enterprise Storage 7.1 libexpat1-32bit-2.7.1-150000.3.36.1 as a component of SUSE Enterprise Storage 7.1 expat-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS libexpat-devel-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS libexpat1-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS libexpat1-32bit-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS libexpat1-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise Micro 5.1 libexpat1-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise Micro 5.2 expat-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS libexpat-devel-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS libexpat1-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS libexpat1-32bit-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS expat-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 libexpat-devel-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 libexpat1-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 libexpat1-32bit-2.7.1-150000.3.36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. CVE-2024-8176 Container suse/sle-micro-rancher/5.2:latest:libexpat1-2.7.1-150000.3.36.1 Container suse/sle-micro/5.1/toolbox:latest:libexpat1-2.7.1-150000.3.36.1 Container suse/sle-micro/5.2/toolbox:latest:libexpat1-2.7.1-150000.3.36.1 SUSE Enterprise Storage 7.1:expat-2.7.1-150000.3.36.1 SUSE Enterprise Storage 7.1:libexpat-devel-2.7.1-150000.3.36.1 SUSE Enterprise Storage 7.1:libexpat1-2.7.1-150000.3.36.1 SUSE Enterprise Storage 7.1:libexpat1-32bit-2.7.1-150000.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:expat-2.7.1-150000.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:libexpat-devel-2.7.1-150000.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:libexpat1-2.7.1-150000.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:libexpat1-32bit-2.7.1-150000.3.36.1 SUSE Linux Enterprise Micro 5.1:libexpat1-2.7.1-150000.3.36.1 SUSE Linux Enterprise Micro 5.2:libexpat1-2.7.1-150000.3.36.1 SUSE Linux Enterprise Server 15 SP3-LTSS:expat-2.7.1-150000.3.36.1 SUSE Linux Enterprise Server 15 SP3-LTSS:libexpat-devel-2.7.1-150000.3.36.1 SUSE Linux Enterprise Server 15 SP3-LTSS:libexpat1-2.7.1-150000.3.36.1 SUSE Linux Enterprise Server 15 SP3-LTSS:libexpat1-32bit-2.7.1-150000.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:expat-2.7.1-150000.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:libexpat-devel-2.7.1-150000.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:libexpat1-2.7.1-150000.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:libexpat1-32bit-2.7.1-150000.3.36.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251186-1/ https://www.suse.com/security/cve/CVE-2024-8176.html CVE-2024-8176 https://bugzilla.suse.com/1239618 SUSE Bug 1239618