From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 30 Jun 2026 19:59:31 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1weck7-00BXsJ-1e for lore@lore.pengutronix.de; Tue, 30 Jun 2026 19:59:31 +0200 Received: from [127.0.0.1] (helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1weck7-0007o9-8g; Tue, 30 Jun 2026 19:59:31 +0200 Received: from mx1.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::107]) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1wecjv-0007o2-PZ for ptxdist@pengutronix.de; Tue, 30 Jun 2026 19:59:19 +0200 Received: from AM0PR02CU008.outbound.protection.outlook.com (mail-westeuropeazlp170130006.outbound.protection.outlook.com [IPv6:2a01:111:f403:c201::6]) by mx1.white.stw.pengutronix.de (Postfix) with ESMTPS id 5BF4C20258F for ; Tue, 30 Jun 2026 19:59:19 +0200 (CEST) Authentication-Results: mx1.white.stw.pengutronix.de; dkim=pass header.d=t2datacom.onmicrosoft.com header.s=selector1-t2datacom-onmicrosoft-com header.b="fk4H/2q8"; spf=pass (mx1.white.stw.pengutronix.de: domain of christian.melki@t2data.com designates 2a01:111:f403:c201::6 as permitted sender) smtp.mailfrom=christian.melki@t2data.com; dmarc=pass (policy=none) header.from=t2data.com; arc=pass ("microsoft.com:s=arcselector10001:i=1") ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=wWfK9SA9jLu+8TihnMcMZKRCYXpjbl00m4iBWW6yaaU4exL3dAGyKYH6NmqvSXJ2TASKEzez5fOd+uJK3/IOy76JfMUDHwog8cOMxXGAUum4LurbxqDOmVfiMerWcex84V0arByenVQBSIdz3gWCC1OEu7P3YIKIKBqCQewp+44Q2JANiGpHGA+S6y7lcnFb1p/5akkA++zYf0dD2EmVClYwFcG8tc2LFgah53mlCYTOTGaWkhBNjHCZj8Zb7HIjebXtr3+2bYjKeFNtpiTHSla8ddzygij6COkKN0IyxxQ8VF79y8frkZixuIrRdLw3bHddSmqNiS6ewKpXAc174Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4KZ5wi/mQSvqM0DfV/wZBYr72QNgfJ6L44nVPMAOJT4=; b=nXF3arAXlxuNbBEYDrvASUgl9N8Nd53XG3fdG2PCkhQ7TYdidtcRplO8bIsi2TOOInDm+wR5UWm/qlVd/8l5UZzz9ne+vG9Lv4IrdBxkKtljZt+tSl1qTciC9HbxubgADVjq7XBGZb9DGQtZXT7Wb/H6L9cUHtZGJ47+U6m6W6glEv6eupeZNvb2+nPCvWtUjBc4Q8Aq6bSTnjJQsFkWW+w1cKmhUICYolynAVYu8g3sIEPSFXlCf+y7+96EGQx6hN/01Lc+YaQBJeyLtvidF0Cu/iDJh2UQmNfZdGA733FLVTaFnD3t2/jfElqyiKCLZx97E1nA7qcvkJKeUyA/Pw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=t2data.com; dmarc=pass action=none header.from=t2data.com; dkim=pass header.d=t2data.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t2datacom.onmicrosoft.com; s=selector1-t2datacom-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4KZ5wi/mQSvqM0DfV/wZBYr72QNgfJ6L44nVPMAOJT4=; b=fk4H/2q8rdsByVwwwvLTkGInC5WXQjN93GBVGmDJ/3SDbtmAt4GD+X3yJrIknTC4aTn3nZ41avcLdn7IS8l1k3P5yKB4EBdPsiPiIJctk6GlyGVyuy+Wd+re1fTtEi2QD1gHWVV4eoPulJ0LF3s209my5Wg+xoI0XYFudUWdUJo= Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:334::22) by AM9P251MB0350.EURP251.PROD.OUTLOOK.COM (2603:10a6:20b:416::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.181.8; Tue, 30 Jun 2026 17:59:17 +0000 Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM ([fe80::a4b2:58d7:8549:4b19]) by DB9P251MB0618.EURP251.PROD.OUTLOOK.COM ([fe80::a4b2:58d7:8549:4b19%3]) with mapi id 15.21.0159.018; Tue, 30 Jun 2026 17:59:17 +0000 From: Christian Melki To: ptxdist@pengutronix.de Date: Tue, 30 Jun 2026 19:59:07 +0200 Message-ID: <20260630175907.3445622-1-christian.melki@t2data.com> X-Mailer: git-send-email 2.43.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: GV2PEPF000239A0.SWEP280.PROD.OUTLOOK.COM (2603:10a6:158:400::18e) To DB9P251MB0618.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:334::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9P251MB0618:EE_|AM9P251MB0350:EE_ X-MS-Office365-Filtering-Correlation-Id: a5490f81-08e4-4455-512c-08ded6d14d64 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; ARA:13230040|366016|1800799024|52116014|376014|23010399003|18002099003|3023799007|38350700014|56012099006|6133799003; X-Microsoft-Antispam-Message-Info: Xi9eNfxNgTHL/xQXemOIYofoVFo5UpgdrDmyWh8PBo74zhLtEBn6wCG/dqNPSzoplhtg5Cval3pv8qFQRd5rOhUyGdPSUT9XflhbWC6NxnmD9Do60RbS2PyV5RUjwXfFd/1OEtm1glg2BC+VtNeGZYeanz8B0QgHSPmyxUh+vGiZr3Kp/syYKMjShhth3cyw/ZRmaQv0d2sAfjs2UbLZKQOxH2uLpsg+ayC2ZMHx95Z/sc5dyf5LU805xdJoO1nCeFgcdiMk4iPgRxvK5OuyRbSJlKvp2ZiLVVJL0gDDHTAYyC043t9wb+mcxzXQY/Qc24MvAqF84e+YWYVA2wxH1fRgC7ElCrBfmnCrXxGtPo75jNFQ/JqUDL0RL+no72cYzmmSTLwLtU8vQzuD8V6Lb2sKT04a23iDl8SRn2BFCv/UdNJM2rTkIYxusH8BNizXon7z9rQaYDlhAjOmY5VynKs8nmoaQxbqN/XrFOnU6cTNm9+PSkmSvlxizy0ZcTry2p49SPE61xOyhr0YNosRYalxsA/bknkGl4eFvbY4ade4hpfqdXHMNC8H0cjNxRyOrATcB+v4S5uJ54NoG43s82B9Q00tBpcNI7A/BCrOF66WyDVua2H6JGrl+Lu0lBv3CikvZuGiX0sxLZp5koTx7sgND9sb09UoSmjZRpLDAlmpWx1a0xGtSz5UFMpJtoYLvlZOcIgowmKrU56blE/1R/F+u5AbZtTSpcm/XTOCbwI= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9P251MB0618.EURP251.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230040)(366016)(1800799024)(52116014)(376014)(23010399003)(18002099003)(3023799007)(38350700014)(56012099006)(6133799003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?mQiS2hqIqeBpEoQCtOiURKbuCP1si8qShPZL3CHraqhLQUhnc+BFAJOMTIdd?= =?us-ascii?Q?dLXGu6qtUTwB3uX2KlwuqQYF3M1vwKyA3RPfmh+8NkLLn494fam+pMDxfE2P?= =?us-ascii?Q?5R8SgLWDWITjMe213Yknltt57FSUrm9Swjp7dYMpoepOcwugHlCvj0iosVe+?= =?us-ascii?Q?KxhFe0c6fyT9EhurrYVKI6jG3i/dGbCpSbUvHosQ9CNPjoHCmZIAjtZ0F3Dx?= =?us-ascii?Q?n7UHcZMth4r9xyZyzQIETMj7slmJHAOyZq80X9SeISTDQHAjsSzNLMHQc/0L?= =?us-ascii?Q?UzvJ4bBFfjLr+GbS+C9m4EuKctGetIyKfMGfQQac4+vmcfE7+jn5ISSz5Uey?= =?us-ascii?Q?8+tpc8HFfl5I9sR+AzDE/Visp18J6ITDAqm4Bqt69oQ3nDnkHK2RcVGZXPfH?= =?us-ascii?Q?GpGAo3Opa3a3bsNOmFA458DYIiewFyYF8yEQHj/E2akeQRdA+WqUCRdCgwNj?= =?us-ascii?Q?QrDJaf9zmZT5Un6gqQjTznTi42RtVJ741L1v4KYlwPpdQwwnrQ2evPTgxDc+?= =?us-ascii?Q?cZ3Zn3ZMZG47dgnPJ2LbhguZcqQnr6k8jhLeu1zuNDFRUChPHzoaLv6Rh9H3?= =?us-ascii?Q?KCQv2KFetknxokhEI693G62XADAbINYAfKmnUwFSZM74TWJjGfxIwRl6/wGs?= =?us-ascii?Q?/RTAzNwu/dWQFJNfATNiBbzXSh19W46J0HrcM/i10O1TTfksGXbq2w4/YVvm?= =?us-ascii?Q?BO1+//lvNsbXw45YbAywdBNfMv7aOQvz0rZhevERoDVfXpattvmfAZbHJUGl?= =?us-ascii?Q?kD6y814/rMruDJzs+wdewHQ7KG5DVnmRJMICmtD6rksZhhCbopqJlXZI190j?= =?us-ascii?Q?2iXnYgJo4Q2aqQbHj1DgZtgVP8Qk0hwInBv2InkFqkPYwllwMnoqtbOsJWJg?= =?us-ascii?Q?FdKF3CDq7r3CSkj8D4qQ2m9bbyroo3+GRN2kGiohXizOcCqYH4bDGKSEVnla?= =?us-ascii?Q?XBIikH7I5qIFqAGwkXy8IFHJemdzVBFpk3IGuDweJtm2fWBETzI9Hg2VK78h?= =?us-ascii?Q?B8aJOJ2KC0CRL4xMwz2LfZyGTWpHWmYcilr/qBwOZEXV5auP6zRwpafXXY7h?= =?us-ascii?Q?riCVzw5fim/LEXRKQ81YgZYdyNdDlZwe1f/av9YeCc5YBZCK2VPSKhKL2spk?= =?us-ascii?Q?uHmK6nkQzFkzCFHO+cuIPwW57/ujoFWC0EO90mSWY4Y3deGR47817sCqnGw/?= =?us-ascii?Q?fJyEbLPIHAyRMu7hzfHPUjbZ6MMoIqDwFQyhYd1rt0Ru9DJ6ECyhu7Qj3NCr?= =?us-ascii?Q?vMNE2DBTfllpGA1mrySBNI4Pxqo4JKx45L/gVfhO3+D1+bavSY4lV/T8KyHz?= =?us-ascii?Q?JnAE8SRRE/VmHXjsmFFIM4fMVOPAXzPbhAVJ7UCDpQiqlSEwcaMdTFnlS05e?= =?us-ascii?Q?2Q7Yk1Jax/LHv1ghDFcIbXODeKlAxmIjSAmtFIgPebwrR24YAD3saCfKihXn?= =?us-ascii?Q?Nhke11TiNr5qtvsZ6X8rSzyM5B482qIDXuXoRh3SDvYmbGlTS5rsLfHJ78UV?= =?us-ascii?Q?6ayKeadVe70KqW6DdTQlNUENAZaPzkf0zmUXBJmO5pgzmjWoLRtjbRkaVDow?= =?us-ascii?Q?SLIakxOqerKrsr102rCGN1YtMh62eVUGldrIJN0pmL6JSOgRWjl/GIxdGpA9?= =?us-ascii?Q?5VcXYCPOB5aOyUD4sG4snyxHAK5b3J71yh+GX+yD4xnu9W4DQQPXWCZEz35A?= =?us-ascii?Q?hjxwl+PiiOMubgBULnFeEC1IIUUS0PFfCMFAio+iQZF2oWybVXvxYCwtjEMW?= =?us-ascii?Q?fkiZ9Nxompq1+jK5v7KzLbnkrWn2P6o=3D?= X-OriginatorOrg: t2data.com X-MS-Exchange-CrossTenant-Network-Message-Id: a5490f81-08e4-4455-512c-08ded6d14d64 X-MS-Exchange-CrossTenant-AuthSource: DB9P251MB0618.EURP251.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jun 2026 17:59:17.0728 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 27928da5-aacd-4ba1-9566-c748a6863e6c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: x4cc/oW+WcZKSj2FDKiKZKGUDkXH4eMwFMljSDD/Wr/Jf+znHQTtSK2HGr3+Lnb3ZjM8POo/+9zprp7QkXjITMabmh5cu5s9kYE0UV3xyIg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P251MB0350 X-Rspamd-Queue-Id: 5BF4C20258F X-Spamd-Result: default: False [-3.50 / 15.00]; BAYES_HAM(-3.00)[100.00%]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector10001:i=1]; MID_CONTAINS_FROM(1.00)[]; DMARC_POLICY_ALLOW(-0.50)[t2data.com,none]; R_MISSING_CHARSET(0.50)[]; R_DKIM_ALLOW(-0.20)[t2datacom.onmicrosoft.com:s=selector1-t2datacom-onmicrosoft-com]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f403:c000::/51]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; DKIM_TRACE(0.00)[t2datacom.onmicrosoft.com:+]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; FROM_EQ_ENVFROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a01:111:f403:c201::6:from]; RCVD_COUNT_TWO(0.00)[2]; NEURAL_HAM(-0.00)[-1.000]; TO_DN_NONE(0.00)[]; FROM_HAS_DN(0.00)[] X-Rspamd-Action: no action X-Stat-Signature: kpoyk4dp3u3z6qe8385z3jr4rsn9fer1 X-Rspamd-Server: mx1 Subject: [ptxdist] [PATCH] expat: Version bump. 2.8.1 -> 2.8.2 X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Security release. https://github.com/libexpat/libexpat/blob/R_2_8_2/expat/Changes Plugs CVEs: CVE-2026-50219: Disallow calls to functions `XML_GetBuffer`, `XML_Parse`, `XML_ParseBuffer`, `XML_ParserFree`, `XML_ParserReset` to guard Expat bindings from memory corruption. CVE-2026-56131: Protect XML_ResumeParser from being called from a handler, plugging a hole in the fix to CVE-2026-50219 CVE-2026-56132: Fix out-of-bound scaffolding index store in `doProlog` CVE-2026-56403: Integer overflow in `storeAtts` CVE-2026-56404: Integer overflow in `addBinding` CVE-2026-56405: Integer overflow in `getAttributeId` CVE-2026-56406: Integer overflow in `XML_ParseBuffer` CVE-2026-56407: Integer overflow in `textLen` handling CVE-2026-56408: Integer overflow in `copyString` CVE-2026-56409: xmlwf: Integer overflow in output path join CVE-2026-56410: xmlwf: Integer overflow in `resolveSystemId` CVE-2026-56411: xmlwf: Integer overflow in notation list allocation CVE-2026-56412: Guard XML_TOK_DATA_CHARS handler calls in `doCdataSection`, plugging a hole in the fix to CVE-2026-50219 Signed-off-by: Christian Melki --- rules/expat.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/expat.make b/rules/expat.make index 411afc4eb..acf88b4d8 100644 --- a/rules/expat.make +++ b/rules/expat.make @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_EXPAT) += expat # # Paths and names # -EXPAT_VERSION := 2.8.1 -EXPAT_SHA256 := f5833dd2e1cd7739ec9182804a1a29c4f0cc7c2f26b633d3a2188b7766a88ecb +EXPAT_VERSION := 2.8.2 +EXPAT_SHA256 := 69e7f52417d85b1c2b7fe855e176eec55d0b2d7d92d691372d833a1c7df7923b EXPAT := expat-$(EXPAT_VERSION) EXPAT_SUFFIX := tar.bz2 EXPAT_RELEASE := R_$(subst .,_,$(EXPAT_VERSION)) -- 2.43.0