Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN149

_____________________________________________________________________

DATE                : 19/03/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running libexpat versions prior to 2.7.0.

=====================================================================
https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes
_____________________________________________________________________

Release 2.7.0 Thu March 13 2025
 Security fixes:
  #893 #973  CVE-2024-8176 -- Fix crash from chaining a large number
            of entities caused by stack overflow by resolving use of
            recursion, for all three uses of entities:
            - general entities in character data ("<e>&g1;</e>")
            - general entities in attribute values ("<e k1='&g1;'/>")
            - parameter entities ("%p1;")
            Known impact is (reliable and easy) denial of service:
          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
            (Base Score: 7.5, Temporal Score: 7.2)
            Please note that a layer of compression around XML can
            significantly reduce the minimum attack payload size.

  Other changes:
      #935 #937  Autotools: Make generated CMake files look for
                    libexpat.@SO_MAJOR@.dylib on macOS
           #925  Autotools: Sync CMake templates with CMake 3.29
 #945 #962 #966  CMake: Drop support for CMake <3.13
           #942  CMake: Small fuzzing related improvements
           #921  docs: Add missing documentation of error code
               XML_ERROR_NOT_STARTED that was introduced with 2.6.4
       #941  docs: Document need for C++11 compiler for use from C++
       #959  tests/benchmark: Fix a (harmless) TOCTTOU
       #944  Windows: Fix installer target location of file xmlwf.xml
                    for CMake
       #953  Windows: Address warning -Wunknown-warning-option
                    about -Wno-pedantic-ms-format from LLVM MinGW
       #971  Address Cppcheck warnings
       #969 #970  Mass-migrate links from http:// to https://
    #947 #958 ..
       #974 #975  Document changes since the previous release
       #974 #975  Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
              to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
              for what these numbers do

        Infrastructure:
            #926  tests: Increase robustness
    #927 #932 ..
       #930 #933  tests: Increase test coverage
    #617 #950 ..
    #951 #952 ..
    #954 #955 ..  Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on
         #961    Google's libprotobuf-mutator ("LPM")
      #957  Fuzzing|CI: Start producing fuzzing code coverage reports
      #936  CI: Pass -q -q for LCOV >=2.1 in coverage.sh
      #942  CI: Small fuzzing related improvements
    #139 #203 ..
  #791 #946  CI: Make GitHub Actions build using MSVC on Windows and
                produce 32bit and 64bit Windows binaries
            #956  CI: Get off of about-to-be-removed Ubuntu 20.04
#960 #964  CI: Start uploading to Coverity Scan for static analysis
     #972  CI: Stop loading DTD from the internet to address flaky CI
     #971  CI: Adapt to breaking changes in Cppcheck


        Special thanks to:
            Alexander Gieringer
            Berkay Eren Ürün
            Hanno Böck
            Jann Horn
            Mark Brand
            Sebastian Andrzej Siewior
            Snild Dolkow
            Thomas Pröll
            Tomas Korbar
            valord577
                 and
            Google Project Zero
            Linutronix
            Red Hat
            Siemens

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================