Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: expat #1348

Closed
dongsupark opened this issue Feb 7, 2024 · 1 comment · Fixed by flatcar/scripts#1949
Closed

update: expat #1348

dongsupark opened this issue Feb 7, 2024 · 1 comment · Fixed by flatcar/scripts#1949
Labels
advisory security advisory cvss/HIGH > 7 && < 9 assessed CVSS security security concerns

Comments

@dongsupark
Copy link
Member

dongsupark commented Feb 7, 2024
edited
Loading

Name: expat
CVEs: CVE-2023-52425, CVE-2024-28757
CVSSs: 7.5, tbd
Action Needed: update to >= 2.6.2

Summary:

  • CVE-2023-52425: libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
  • CVE-2024-28757: vulnerable to billion laughs attacks with isolated use of external parsers

refmap.gentoo: https://bugs.gentoo.org/923951, https://bugs.gentoo.org/926786
@dongsupark dongsupark added security security concerns advisory security advisory labels Feb 7, 2024
@dongsupark dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Feb 7, 2024
@dongsupark dongsupark added the cvss/HIGH > 7 && < 9 assessed CVSS label Feb 12, 2024
@dongsupark dongsupark moved this from 🪵Backlog to 🌱 Upcoming / Focus in Flatcar tactical, release planning, and roadmap Feb 14, 2024
@github-actions github-actions bot mentioned this issue Feb 22, 2024
Closed
@dongsupark dongsupark moved this from 🌱 Upcoming / Focus to 🪵Backlog in Flatcar tactical, release planning, and roadmap Feb 22, 2024
@tormath1
Copy link
Contributor

Added CVE-2024-28757

@github-actions github-actions bot mentioned this issue Mar 22, 2024
Closed
@github-actions github-actions bot mentioned this issue Apr 22, 2024
Closed
@krnowak krnowak mentioned this issue Apr 23, 2024
Merged
2 tasks
@dongsupark dongsupark moved this from 🪵Backlog to ⚒️ In Progress in Flatcar tactical, release planning, and roadmap Apr 24, 2024
@github-project-automation github-project-automation bot moved this from ⚒️ In Progress to Implemented in Flatcar tactical, release planning, and roadmap Apr 25, 2024
@github-actions github-actions bot mentioned this issue May 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory security advisory cvss/HIGH > 7 && < 9 assessed CVSS security security concerns
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Weekly portage-stable package updates 2024-04-22 flatcar/scripts
2 participants
@dongsupark @tormath1