{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"expat security update", "category":"general", "title":"Synopsis" }, { "text":"An update for expat is now available for openEuler-24.03-LTS", "category":"general", "title":"Summary" }, { "text":"expat is a stream-oriented XML parser library written in C. expat excels with files too large to fit RAM, and where performance and flexibility are crucial.\n\nSecurity Fix(es):\n\nA stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.(CVE-2024-8176)", "category":"general", "title":"Description" }, { "text":"An update for expat is now available for openEuler-24.03-LTS.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"expat", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-2564", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2564" }, { "summary":"CVE-2024-8176", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-8176&packageName=expat" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8176" }, { "summary":"openEuler-SA-2025-2564 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openEuler-SA-2025-2564.json" } ], "title":"An update for expat is now available for openEuler-24.03-LTS", "tracking":{ "initial_release_date":"2025-11-06T17:04:03+08:00", "revision_history":[ { "date":"2025-11-06T17:04:03+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-11-06T17:04:03+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-11-06T17:04:03+08:00", "id":"openEuler-SA-2025-2564", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"openEuler-24.03-LTS", "name":"openEuler-24.03-LTS" }, "name":"openEuler-24.03-LTS", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"expat-help-2.5.0-12.oe2403.noarch.rpm", "name":"expat-help-2.5.0-12.oe2403.noarch.rpm" }, "name":"expat-help-2.5.0-12.oe2403.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"expat-2.5.0-12.oe2403.aarch64.rpm", "name":"expat-2.5.0-12.oe2403.aarch64.rpm" }, "name":"expat-2.5.0-12.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"expat-debuginfo-2.5.0-12.oe2403.aarch64.rpm", "name":"expat-debuginfo-2.5.0-12.oe2403.aarch64.rpm" }, "name":"expat-debuginfo-2.5.0-12.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"expat-debugsource-2.5.0-12.oe2403.aarch64.rpm", "name":"expat-debugsource-2.5.0-12.oe2403.aarch64.rpm" }, "name":"expat-debugsource-2.5.0-12.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"expat-devel-2.5.0-12.oe2403.aarch64.rpm", "name":"expat-devel-2.5.0-12.oe2403.aarch64.rpm" }, "name":"expat-devel-2.5.0-12.oe2403.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"expat-2.5.0-12.oe2403.src.rpm", "name":"expat-2.5.0-12.oe2403.src.rpm" }, "name":"expat-2.5.0-12.oe2403.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"expat-2.5.0-12.oe2403.x86_64.rpm", "name":"expat-2.5.0-12.oe2403.x86_64.rpm" }, "name":"expat-2.5.0-12.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"expat-debuginfo-2.5.0-12.oe2403.x86_64.rpm", "name":"expat-debuginfo-2.5.0-12.oe2403.x86_64.rpm" }, "name":"expat-debuginfo-2.5.0-12.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"expat-debugsource-2.5.0-12.oe2403.x86_64.rpm", "name":"expat-debugsource-2.5.0-12.oe2403.x86_64.rpm" }, "name":"expat-debugsource-2.5.0-12.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"expat-devel-2.5.0-12.oe2403.x86_64.rpm", "name":"expat-devel-2.5.0-12.oe2403.x86_64.rpm" }, "name":"expat-devel-2.5.0-12.oe2403.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"expat-help-2.5.0-12.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:expat-help-2.5.0-12.oe2403.noarch", "name":"expat-help-2.5.0-12.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"expat-2.5.0-12.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:expat-2.5.0-12.oe2403.aarch64", "name":"expat-2.5.0-12.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"expat-debuginfo-2.5.0-12.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:expat-debuginfo-2.5.0-12.oe2403.aarch64", "name":"expat-debuginfo-2.5.0-12.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"expat-debugsource-2.5.0-12.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:expat-debugsource-2.5.0-12.oe2403.aarch64", "name":"expat-debugsource-2.5.0-12.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"expat-devel-2.5.0-12.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:expat-devel-2.5.0-12.oe2403.aarch64", "name":"expat-devel-2.5.0-12.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"expat-2.5.0-12.oe2403.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:expat-2.5.0-12.oe2403.src", "name":"expat-2.5.0-12.oe2403.src as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"expat-2.5.0-12.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:expat-2.5.0-12.oe2403.x86_64", "name":"expat-2.5.0-12.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"expat-debuginfo-2.5.0-12.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:expat-debuginfo-2.5.0-12.oe2403.x86_64", "name":"expat-debuginfo-2.5.0-12.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"expat-debugsource-2.5.0-12.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:expat-debugsource-2.5.0-12.oe2403.x86_64", "name":"expat-debugsource-2.5.0-12.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"expat-devel-2.5.0-12.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:expat-devel-2.5.0-12.oe2403.x86_64", "name":"expat-devel-2.5.0-12.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2024-8176", "notes":[ { "text":"A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:expat-help-2.5.0-12.oe2403.noarch", "openEuler-24.03-LTS:expat-2.5.0-12.oe2403.aarch64", "openEuler-24.03-LTS:expat-debuginfo-2.5.0-12.oe2403.aarch64", "openEuler-24.03-LTS:expat-debugsource-2.5.0-12.oe2403.aarch64", "openEuler-24.03-LTS:expat-devel-2.5.0-12.oe2403.aarch64", "openEuler-24.03-LTS:expat-2.5.0-12.oe2403.src", "openEuler-24.03-LTS:expat-2.5.0-12.oe2403.x86_64", "openEuler-24.03-LTS:expat-debuginfo-2.5.0-12.oe2403.x86_64", "openEuler-24.03-LTS:expat-debugsource-2.5.0-12.oe2403.x86_64", "openEuler-24.03-LTS:expat-devel-2.5.0-12.oe2403.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:expat-help-2.5.0-12.oe2403.noarch", "openEuler-24.03-LTS:expat-2.5.0-12.oe2403.aarch64", "openEuler-24.03-LTS:expat-debuginfo-2.5.0-12.oe2403.aarch64", "openEuler-24.03-LTS:expat-debugsource-2.5.0-12.oe2403.aarch64", "openEuler-24.03-LTS:expat-devel-2.5.0-12.oe2403.aarch64", "openEuler-24.03-LTS:expat-2.5.0-12.oe2403.src", "openEuler-24.03-LTS:expat-2.5.0-12.oe2403.x86_64", "openEuler-24.03-LTS:expat-debuginfo-2.5.0-12.oe2403.x86_64", "openEuler-24.03-LTS:expat-debugsource-2.5.0-12.oe2403.x86_64", "openEuler-24.03-LTS:expat-devel-2.5.0-12.oe2403.x86_64" ], "details":"expat security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2564" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:expat-help-2.5.0-12.oe2403.noarch", "openEuler-24.03-LTS:expat-2.5.0-12.oe2403.aarch64", "openEuler-24.03-LTS:expat-debuginfo-2.5.0-12.oe2403.aarch64", "openEuler-24.03-LTS:expat-debugsource-2.5.0-12.oe2403.aarch64", "openEuler-24.03-LTS:expat-devel-2.5.0-12.oe2403.aarch64", "openEuler-24.03-LTS:expat-2.5.0-12.oe2403.src", "openEuler-24.03-LTS:expat-2.5.0-12.oe2403.x86_64", "openEuler-24.03-LTS:expat-debuginfo-2.5.0-12.oe2403.x86_64", "openEuler-24.03-LTS:expat-debugsource-2.5.0-12.oe2403.x86_64", "openEuler-24.03-LTS:expat-devel-2.5.0-12.oe2403.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2024-8176" } ] }