From: Christian Melki <christian.melki@t2data.com>
To: ptxdist@pengutronix.de
Subject: [ptxdist] [PATCH] expat: Version bump. 2.8.1 -> 2.8.2
Date: Tue, 30 Jun 2026 19:59:07 +0200 [thread overview]
Message-ID: <20260630175907.3445622-1-christian.melki@t2data.com> (raw)
Security release.
https://github.com/libexpat/libexpat/blob/R_2_8_2/expat/Changes
Plugs CVEs:
CVE-2026-50219: Disallow calls to functions `XML_GetBuffer`, `XML_Parse`,
`XML_ParseBuffer`, `XML_ParserFree`, `XML_ParserReset` to guard
Expat bindings from memory corruption.
CVE-2026-56131: Protect XML_ResumeParser from being called from a handler,
plugging a hole in the fix to CVE-2026-50219
CVE-2026-56132: Fix out-of-bound scaffolding index store in `doProlog`
CVE-2026-56403: Integer overflow in `storeAtts`
CVE-2026-56404: Integer overflow in `addBinding`
CVE-2026-56405: Integer overflow in `getAttributeId`
CVE-2026-56406: Integer overflow in `XML_ParseBuffer`
CVE-2026-56407: Integer overflow in `textLen` handling
CVE-2026-56408: Integer overflow in `copyString`
CVE-2026-56409: xmlwf: Integer overflow in output path join
CVE-2026-56410: xmlwf: Integer overflow in `resolveSystemId`
CVE-2026-56411: xmlwf: Integer overflow in notation list allocation
CVE-2026-56412: Guard XML_TOK_DATA_CHARS handler calls in `doCdataSection`,
plugging a hole in the fix to CVE-2026-50219
Signed-off-by: Christian Melki <christian.melki@t2data.com>
---
rules/expat.make | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rules/expat.make b/rules/expat.make
index 411afc4eb..acf88b4d8 100644
--- a/rules/expat.make
+++ b/rules/expat.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_EXPAT) += expat
#
# Paths and names
#
-EXPAT_VERSION := 2.8.1
-EXPAT_SHA256 := f5833dd2e1cd7739ec9182804a1a29c4f0cc7c2f26b633d3a2188b7766a88ecb
+EXPAT_VERSION := 2.8.2
+EXPAT_SHA256 := 69e7f52417d85b1c2b7fe855e176eec55d0b2d7d92d691372d833a1c7df7923b
EXPAT := expat-$(EXPAT_VERSION)
EXPAT_SUFFIX := tar.bz2
EXPAT_RELEASE := R_$(subst .,_,$(EXPAT_VERSION))
--
2.43.0
reply other threads:[~2026-06-30 17:59 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630175907.3445622-1-christian.melki@t2data.com \
--to=christian.melki@t2data.com \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox