On Fri, May 27, 2016 at 9:48 AM, David Dillard <davidedill...@gmail.com> wrote: > Did anyone see > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718? "Expat > allows context-dependent attackers to cause a denial of service (crash) or > possibly execute arbitrary code via a malformed input document, which > triggers a buffer overflow." > > A patch used for Debian can be found at > http://www.openwall.com/lists/oss-security/2016/05/17/12
Thanks David. As reported by Seulbae Kim from the Center for Software Security and Assurance (CSSA), we either need to spend a lot of time on a bundled expat or rip it out from releases. I think one more release with an updated expat might be prudent, given the severity of the issue shared above. -- Eric Covener cove...@gmail.com