Your message dated Tue, 17 Mar 2026 22:04:42 +0000
with message-id <[email protected]>
and subject line Bug#1131119: fixed in expat 2.7.5-1
has caused the Debian Bug report #1131119,
regarding expat: CVE-2026-32778
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131119
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: expat
Version: 2.7.4-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libexpat/libexpat/pull/1163
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for expat.
CVE-2026-32778[0]:
| libexpat before 2.7.5 allows a NULL pointer dereference in the
| function setContext on retry after an earlier ouf-of-memory
| condition.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32778
https://www.cve.org/CVERecord?id=CVE-2026-32778
[1] https://github.com/libexpat/libexpat/pull/1163
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: expat
Source-Version: 2.7.5-1
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 17 Mar 2026 22:23:17 +0100
Source: expat
Architecture: source
Version: 2.7.5-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1131117 1131118 1131119
Changes:
expat (2.7.5-1) unstable; urgency=high
.
* New upstream release:
- fixes CVE-2026-32776: NULL function pointer dereference for empty
external parameter entities (closes: #1131117),
- fixes CVE-2026-32777: protect from XML_TOK_INSTANCE_START infinite
loop in entityValueProcessor() (closes: #1131118),
- fixes CVE-2026-32778: NULL dereference in setContext() on retry after
an earlier ouf-of-memory condition (closes: #1131119).
Checksums-Sha1:
610954f08241b4d915ead24fda15c5a11d78fad1 1970 expat_2.7.5-1.dsc
386b1e2bb9e61c6c3d3a1741f64e0f391eb56f42 8449555 expat_2.7.5.orig.tar.gz
4909a566332c2b76b5dce7fd18c12c00d3cd21b1 13544 expat_2.7.5-1.debian.tar.xz
Checksums-Sha256:
b9d12670f800b12fb41cf39d2b34d9115223b95d50e3814deb17aaf47bd5f0fb 1970
expat_2.7.5-1.dsc
7e23daf05f0ab028570d709ce48d724802baa6e4fbfa4db9b7cee3b72ee2062b 8449555
expat_2.7.5.orig.tar.gz
16927000bcde5e8f2ed26c7bd934cec3741d03205bbb29e1071eb884ee6bed49 13544
expat_2.7.5-1.debian.tar.xz
Files:
3a3d7438a9c67e372ad2034c143bc8eb 1970 text optional expat_2.7.5-1.dsc
aecc4366ab1a5189d8f027c369305c9a 8449555 text optional expat_2.7.5.orig.tar.gz
1e0636791258a1247aad0333651f17fd 13544 text optional
expat_2.7.5-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmm5y00ACgkQ3OMQ54ZM
yL8UZhAAqGL1QdMN2xsjf4HEv4sVku1WyH5NPHRc3DTK09gbBIZtCIV5mYP+XqYL
ZCHDZZzoMm043zUhL+BOQyxn4m0lI6oXQrpVMbQLqcmE6mpELY2uvtmLnfjxezoe
eCAW+y5O0prxHsSLx3CqZXNtn+oLZui1PCHKU8nniT/mpilne2kNYAxsX+mpJYU+
PfAw4LbvvtGAbAMnt53MhjEu6QmizDVlwK2ZyPa99XyJ+s8L5oragIxQ+0FfwMm/
pMyjslCuWqmzTQKis/ZJKlLc1ZJ9V3VfTRVZFoJlN+PB8LU8umf8XEnnmi9N0ult
I3ECD3B3W09rqW3Wqs9eFGHp7AeS6bpqd6hz1BmxtxCYhlWdvrE1Hu9ZwUcArHBx
iFDiCWMLaXpm8dexzK50jVrONPINVc+rfp0IPDoWfWA432JnGSU4vDkTN6VyejYb
t2SELJBpLtkjuwhLZaZG7S9gYhRcFzGuXhnnNYyFOq2Hgdh43idyNekj8qdM8jFE
GPx04MpjT/VVFzTDVwQZI0z6xpf81KaqMmPE6/eZWW3fTsEakGU8673PBh7zUPpE
YfQwypk47EbtpS27LowApKpWO1EIXRMlmbNE6eE8RgLnv+7w7U6+ipe1qUpT2BNh
f2kFhDDBAu2O0QfM4uxuQsHbnkysxHc3Xcu7sJr90A9bVQ9DXx4=
=bRG7
-----END PGP SIGNATURE-----
pgpwP0BkjDkX8.pgp
Description: PGP signature
--- End Message ---
