Expat 2.4.3 released, includes security fixes

January 16, 2022

Submitted by Sebastian Pipping.

libexpat security open source software libre parsers expat parsing c free software releases

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.4.3 has been released earlier today. Besides two minor fixes to the build system, this release is about security fixes. There is a total of 8 CVEs fixed, all related to fixed-size integer math (integer overflow and invalid shifts) near memory allocation. Impact is denial of service, or more.

CVE-2021-45960
CVE-2021-46143
CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2022-22825
CVE-2022-22826
CVE-2022-22827

For more details, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.3. Thank you!

Sebastian Pipping

This article first appeared at blog.hartwork.org.

Expat 2.4.3 released, includes security fixes

Related links