In May 2024, Sebastian Pipping discovered a critical vulnerability affecting multiple versions of libexpat (Expat), an XML parsing library widely used in various software systems. The issue had three faces: general entities in character data, general entities in attribute values, and parameter entity exploitation. Berkay Eren Ürün from Siemens led the path to a fix with significant contributions from Dr. Thomas Pröll at Siemens, Unnamed Company (who hired Linutronix and Red Hat), Jann Horn for initial research, and other contributors involved in Expat development. After ten months of collaborative work, libexpat released version 2.7.0 to address these vulnerabilities (CVE-2022-25313 and CVE-2024-8176). Companies using affected versions should update their copies or bundled Expat instances as soon as possible for enhanced security measures.
For more details about this release, refer to the change log provided in Sebastian Pipping’s announcement.
Complete Article after the Jump: Here!