Security update for expat SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20045-1 Final 1 1 2025-02-03T08:54:55Z current 2025-02-03T08:54:55Z 2025-02-03T08:54:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for expat This update for expat fixes the following issues: - CVE-2024-45492: detect integer overflow in function nextScaffoldPart (bsc#1229932) - CVE-2024-45491: detect integer overflow in dtdCopy (bsc#1229931) - CVE-2024-45490: reject negative len for XML_ParseBuffer (bsc#1229930) - CVE-2024-28757: XML Entity Expansion attack when there is isolated use of external parsers (bsc#1221289) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-44 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520045-1/ Link for SUSE-SU-2025:20045-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021308.html E-Mail link for SUSE-SU-2025:20045-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1221289 SUSE Bug 1221289 https://bugzilla.suse.com/1229930 SUSE Bug 1229930 https://bugzilla.suse.com/1229931 SUSE Bug 1229931 https://bugzilla.suse.com/1229932 SUSE Bug 1229932 https://www.suse.com/security/cve/CVE-2024-28757/ SUSE CVE CVE-2024-28757 page https://www.suse.com/security/cve/CVE-2024-45490/ SUSE CVE CVE-2024-45490 page https://www.suse.com/security/cve/CVE-2024-45491/ SUSE CVE CVE-2024-45491 page https://www.suse.com/security/cve/CVE-2024-45492/ SUSE CVE CVE-2024-45492 page SUSE Linux Micro 6.0 libexpat1-2.5.0-3.1 libexpat1-2.5.0-3.1 as a component of SUSE Linux Micro 6.0 libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). CVE-2024-28757 SUSE Linux Micro 6.0:libexpat1-2.5.0-3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520045-1/ https://www.suse.com/security/cve/CVE-2024-28757.html CVE-2024-28757 https://bugzilla.suse.com/1221289 SUSE Bug 1221289 An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 SUSE Linux Micro 6.0:libexpat1-2.5.0-3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520045-1/ https://www.suse.com/security/cve/CVE-2024-45490.html CVE-2024-45490 https://bugzilla.suse.com/1229930 SUSE Bug 1229930 An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 SUSE Linux Micro 6.0:libexpat1-2.5.0-3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520045-1/ https://www.suse.com/security/cve/CVE-2024-45491.html CVE-2024-45491 https://bugzilla.suse.com/1229930 SUSE Bug 1229930 https://bugzilla.suse.com/1229931 SUSE Bug 1229931 An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 SUSE Linux Micro 6.0:libexpat1-2.5.0-3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520045-1/ https://www.suse.com/security/cve/CVE-2024-45492.html CVE-2024-45492 https://bugzilla.suse.com/1229930 SUSE Bug 1229930 https://bugzilla.suse.com/1229932 SUSE Bug 1229932