Bug#1006333: Relaxed fix in expat for CVE-2022-25236 released
Salvatore Bonaccorso
carnil at debian.org
Sun Mar 13 15:21:22 GMT 2022
Hi all,
An update for expat (landed in unstable earlier) and now as DSA 5085-2
for buster and bullseye as well is released which relaxes the fix for
CVE-2022-25236 with regard to RFC 3986 URI characters.
So there is no immediate action for updating the affected packages
from regressions ins buster and bulleye. For unstable (and bookworm)
given the API docs of function XML_ParserCreateNS do advise against
using URI characters in namespace searators and expat might be
stricter in future about their use, it's still recomended to address
these isses (I see biboumi in fact did already in #1006333, thanks
Jonas, Slavko and Diane).
Regards,
Salvatore
More information about the Pkg-voip-maintainers
mailing list