Did anyone see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718? "Expat allows context-dependent attackers to cause a denial of service (crash) or *possibly execute arbitrary code* via a malformed input document, which triggers a buffer overflow."
A patch used for Debian can be found at http://www.openwall.com/lists/oss-security/2016/05/17/12