CVE-2022-25314 In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
This issue has been fixed in version 2.5.0. In other words, make sure to upgrade your installation as soon as it becomes available. In the meantime, you can upgrade to version 2.4.5.
libexpat is not the only dependency that could be updated to a newer version. Some of its other dependencies could also be upgraded to newer versions. For example, if you are using PHP 7 and/or any of its newer versions, you should upgrade any of the following dependencies:
If your website uses any of the following PECL extensions, you should upgrade them to the latest version:
Redis
Redis is a great tool for high performance, high availability, and high scalability data storage. It is often used as a backend database for applications. Redis can be used to handle all types of data, from simple strings to complex objects likejson.
Redis is a popular open source data storage tool that many websites and apps use. Redis is most often used in situations where high performance and scalability are required.
Installing Redis
The installation of redis can be done in two ways: manually or using a package. The manual installation is recommended, as it allows you to choose which versions of the library to install.
1) Download the latest version of redis from https://github.com/antirez/redis/releases
2) Unzip the archive and move the unzipped folder to your desired location
3) Change into the directory and run ./configure
4) Run make dep ensure that all dependencies are installed correctly
5) Run make install after the configure command is completed
6) Run ./install-service to start the service if desired
Install libevent libevent is a cross-platform library for event handling in user-level programs. It provides an abstraction layer over the different operating systems' event handling mechanisms, so that users can focus on the task at hand without having to worry about the underlying system call or API.
If you're coding something that needs to be fast and scalable, you should check out libevent. If your application uses some of these libraries, make sure to upgrade them as soon as possible.
Update to the latest version
Make sure to update to the latest version of Redis.
If you are using Redis, make sure to update it to the latest version. Some of its dependencies have been updated and with them, so have some of its known issues which were fixed in the newest versions of Redis.
Installing Redis on Ubuntu Linux
You can install Redis on Ubuntu Linux by using PPA repository.
The following commands will add the PPA to your system, upgrade the package, and install it.
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF echo "deb http://ppa.launchpad.net/ibm-devscripts/ubuntu bionic main" | sudo tee /etc/apt/sources.list.d/redis-stable-bionic.list sudo apt update sudo apt install redis-server
Timeline
Published on: 02/18/2022 05:15:00 UTC
Last modified on: 06/14/2022 11:15:00 UTC
References
- https://github.com/libexpat/libexpat/pull/560
- http://www.openwall.com/lists/oss-security/2022/02/19/1
- https://www.debian.org/security/2022/dsa-5085
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/
- https://security.netapp.com/advisory/ntap-20220303-0008/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25314