ipuustin
commented
7 years ago It seems that this is issue is a false alarm -- the fix is already in expat 2.2.0 event though the CVE database indicates expat 2.2.0 to be vulnerable. See https://sourceforge.net/p/expat/code_git/ci/master/tree/expat/Changes for the list of CVE fixes included in 2.2.0 release.
Base CVSS severity 8.1 (high). Ostro OS severity not yet analyzed.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4472