CVE-2022-25315 In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

This could cause a stack overflow and crash applications that make a lot of requests to an external server that returns a lot of large data.

After this update, libexpat is no longer vulnerable to this issue. However, if an application is still using an older version of libexpat, it should be upgraded as soon as possible.

The following versions of libexpat are no longer vulnerable:

libexpat before 2.4.5

An upgrade to one of the above versions is strongly recommended. If you cannot upgrade, you can update libexpat by running the following commands on the application’s command line.

For Debian/Ubuntu:

apt-get update && apt-get install libexpat-dev

For Red Hat/CentOS:
Red Hat/CentOS: yum update libexpat-devel

For other distributions, see the instructions on the libexpat website.

END

CVE-2023-25302

This could cause a stack overflow and crash applications that make a lot of requests to an external server that returns a lot of large data.

After this update, libexpat is no longer vulnerable to this issue. However, if an application is still using an older version of libexpat, it should be upgraded as soon as possible.
The following versions of libexpat are no longer vulnerable:
libexpat before 2.4.5
An upgrade to one of the above versions is strongly recommended. If you cannot upgrade, you can update libexpat by running the following commands on the application’s command line.
For Debian/Ubuntu:
apt-get update && apt-get install libexpat-dev

LibXML2 Update

The libxml2 update changes the encoding of XML processing to UTF-8. This change is necessary because it will allow processing of XML documents in different languages, such as Arabic and Hebrew. Additionally, this update may fix some issues with processing UTF-16 encoded text.

END

Mitigation Steps

To mitigate this vulnerability, you should upgrade to one of the following versions of libexpat:

libexpat before 2.4.5

libexpat before 2.3.1
libexpat before 2.2.8

CVE-2023-25342

This could cause a stack overflow and crash applications that make a lot of requests to an external server that returns a lot of large data.

After this update, curl is no longer vulnerable to this issue. However, if an application is still using an older version of curl, it should be upgraded as soon as possible.
The following versions of curl are no longer vulnerable:

curl before 7.47.1

An upgrade to one of the above versions is strongly recommended. If you cannot upgrade, you can update curl by running the following commands on the application’s command line.
For Debian/Ubuntu:
apt-get update && apt-get install libcurl-dev

Timeline

Published on: 02/18/2022 05:15:00 UTC
Last modified on: 06/14/2022 11:15:00 UTC

References