Your message dated Sun, 10 May 2026 17:22:08 +0000
with message-id <[email protected]>
and subject line Bug#1136164: fixed in expat 2.8.0-2
has caused the Debian Bug report #1136164,
regarding expat: CVE-2026-45186
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136164: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136164
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: expat
Version: 2.8.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libexpat/libexpat/pull/1216
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for expat.
CVE-2026-45186[0]:
| In libexpat before 2.8.1, the computational complexity of attribute
| name collision checks allows a denial of service via moderately
| sized crafted XML input.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-45186
https://www.cve.org/CVERecord?id=CVE-2026-45186
[1] https://github.com/libexpat/libexpat/pull/1216
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: expat
Source-Version: 2.8.0-2
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 May 2026 16:51:27 +0200
Source: expat
Architecture: source
Version: 2.8.0-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1136164
Changes:
expat (2.8.0-2) unstable; urgency=high
.
* Backport upstream fixes for self-testing:
- drop casts around malloc that C99 does not need,
- drop casts around XML_GetUserData that C99 does not need.
* Backport upstream fixes for CVE-2026-45186: attribute name collision
checks allowed denial of service attacks through moderately sized
crafted XML input (closes: #1136164).
Checksums-Sha1:
9d83dc0b27a5299018ae0f989bcd4afc485b3245 1970 expat_2.8.0-2.dsc
f1093f1cd967fce390e1e0aaa0f1e6f27733a577 19944 expat_2.8.0-2.debian.tar.xz
Checksums-Sha256:
ac71b0fa6c9b8e748f864902d1da5ab21b095517f9a1c29efb1b4a2bda3f13ba 1970
expat_2.8.0-2.dsc
ff646c22da9fb25e9e28e6c637046d188d5897f26f08c407f6585b65f0147fb7 19944
expat_2.8.0-2.debian.tar.xz
Files:
41bbe3142f214380b5ee52600ba88a30 1970 text optional expat_2.8.0-2.dsc
07eddf1449d7e9ff584a8df871e7c474 19944 text optional
expat_2.8.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmoAuLAACgkQ3OMQ54ZM
yL9I8g/+Kuwf75PlM6MQQ07nw1rG+4Vn/5tH44U0V76Tefo6+JYb5Gy2bqNvFIST
/mhlknYpr3gurz47SjNjx/JPc83jPIQbQTBfIjMBUubluif03sNPfmMLbWCTRAqg
QhiU/DQRfJJMoTSVrSyM6JNWL+2d8JQxmD8r4fFilVLvT3LPTPUxnhDWeVS1dqKB
Y+QtFr0L7nGjtGH2lcWT2czNOY/1msChGcimOh614mMRd9AKDEOCG20fyyHJu91u
UDFv6PhF1lRxwircZS7TeQ9zkXQn/vCfbee2CkNcaX5IgEoO3wkXvIL7mHFup2Yl
FO0CMLS9v6jWSplBc1OWDslqMc3HJEOEMgOY6tVhw2mxx/BrR16nhlDP48YeQ6Za
rbksd6l3cn9shWnYvG1NFQLwCinU8gihECS3n7DM/B+0BAECzNu7Fx4yN0lI0m9i
5LYiQCFLYFNGzvgFUI8qb0J3i/CWywaOzuXjIzd/OEQsqADV4mJ0CBpbps+mjBCj
bTnSCVh62Ed4nM10V8zuSJtEnZvUzcya4nV69zm/CyZXFlQwk03AYdHo+3PeS969
7PYAXHFPCP4FIaHP39P8tTbzmZfCs2RJA9oC5E973UPADUPhgai3nuXhHCWexMNT
C39RUF5FQrDstXIWeMuGGyPbIx5mftPpNWBFuTwX11lviNYNGNU=
=HLKD
-----END PGP SIGNATURE-----
pgpx0Aat5aOQf.pgp
Description: PGP signature
--- End Message ---
