Summary:
The update for expat released as DSA 5085-1 introduced regressions for applications using URI characters (':' in particular) for a namespace separator (while the HTML API docs of function XML_ParserCreateNS have been advising against their use). Updated expat packages are now available which relax the fix for CVE-2022-25236 with regard to RFC 3986 URI characters.
ghost
commented
2 years ago
Pipelines throw warning during deployments:
Vulnerable Packages Found
DSA-5085-2 Policy Status: Active
Summary: The update for expat released as DSA 5085-1 introduced regressions for applications using URI characters (':' in particular) for a namespace separator (while the HTML API docs of function XML_ParserCreateNS have been advising against their use). Updated expat packages are now available which relax the fix for CVE-2022-25236 with regard to RFC 3986 URI characters.
Vendor Security Notice IDs Official Notice
DSA-5085-2 https://lists.debian.org/debian-security-announce/2022/msg00069.html
Affected Packages Policy Status How to Resolve Security Notice
libexpat1 Active Upgrade libexpat1 to >= 2.2.10-2+deb11u3 DSA-5085-2