Expat 2.4.0 (and 2.4.1) with security fixes released

May 23, 2021

Submitted by Sebastian Pipping.

libexpat dos denial of service releases billion laughs attack software libre parsers parameter laughs attack expat parsing c free software open source security

There is a longer version of this article at blog.hartwork.org.

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.4.0 and follow-up release 2.4.1 have both been released earlier today. Release 2.4.0 fixes long known security issue CVE-2013-0340 by adding protection against so-called Billion Laughs Attacks, a form of denial of service against applications accepting XML input, in all known variations, including recent flavor Parameter Laughs.

[..]

Besides this security fix, there is the usual bunch of fixes and improvements in tooling, documentation, and the two build systems. For more details, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.1. Thank you!

Sebastian Pipping

This article first appeared at blog.hartwork.org.