Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted expat 2.8.2-1 (source) into unstable
Date: Thu, 25 Jun 2026 18:48:53 +0000
Signed by: Laszlo Boszormenyi <gcs@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 25 Jun 2026 19:44:46 +0200
Source: expat
Architecture: source
Version: 2.8.2-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 1138862 1140387 1140388 1140557
Changes:
 expat (2.8.2-1) unstable; urgency=high
 .
   * New upstream release (closes: #1138862, #1140387, #1140388, #1140557):
     - fixes CVE-2026-56131: protect XML_ResumeParser() from being called from
       a handler,
     - fixes CVE-2026-56132: fix out-of-bound scaffolding index store in
       doProlog(),
     - fixes CVE-2026-50219: disallow calls to some functions to guard Expat
       bindings from memory corruption,
     - fixes CVE-2026-56403: integer overflow in storeAtts(),
     - fixes CVE-2026-56404: integer overflow in addBinding(),
     - fixes CVE-2026-56405: integer overflow in getAttributeId(),
     - fixes CVE-2026-56406: integer overflow in XML_ParseBuffer(),
     - fixes CVE-2026-56407: integer overflow in textLen handling,
     - fixes CVE-2026-56408: integer overflow in copyString(),
     - fixes CVE-2026-56409: integer overflow in output path join in xmlwf,
     - fixes CVE-2026-56410: integer overflow in resolveSystemId() in xmlwf,
     - fixes CVE-2026-56411: Integer overflow in notation list allocation
       in xmlwf,
     - fixes CVE-2026-56412: guard XML_TOK_DATA_CHARS handler calls
       in doCdataSection().
Checksums-Sha1:
 3f141f1ebe00e9160a6641f1d0564ac4b8ff20ff 1970 expat_2.8.2-1.dsc
 23acb997daf1a51080bb923763d4abb10a171953 8462437 expat_2.8.2.orig.tar.gz
 808f0e5034befa738d57a94a3fc9cd549838d9cf 14012 expat_2.8.2-1.debian.tar.xz
Checksums-Sha256:
 f712641d71796c80989171ffcbedd1f9af7400d23e533fd9fe00d4557779311c 1970 expat_2.8.2-1.dsc
 ca9d7c05560653cb977bfaa1ac54f717919cc0c68f6798b42fe55347c0b0ad52 8462437 expat_2.8.2.orig.tar.gz
 f2b8e4f360715497ef5d8f41d78f6ca71ee2ad5df00decc4a222ba74a4a66aa9 14012 expat_2.8.2-1.debian.tar.xz
Files:
 c0b672edf70d277079d0906ecd4a6016 1970 text optional expat_2.8.2-1.dsc
 ff239cbbf910e7d0d5f2ebe548aa9c1f 8462437 text optional expat_2.8.2.orig.tar.gz
 c51fdedb6f29a5af3c74a4e4ae21c1cb 14012 text optional expat_2.8.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmo9cfIACgkQ3OMQ54ZM
yL/BXBAAlE8GKLxbSUZIjfW7t5dQb1ni1vBIyY32mDAwsSimg9WxVfXYn7oCVJ0Y
iggJHw8CqKrNovSU9jX59KyXh31ZD1Ub5ZR+XZ7yP2vpzlyoTGoNuoPnvhbBLg/3
bvz6MzahSVI/ICRGpUXXCCceGyq4MDhOfmsl9iqX9sD+UzlWl+y9zqsgjRvjWBZw
Re8AKbMzBWAyAr/lK7yilVQESBBew5ARqyfDEXfzGA56dxDcFOGsMIGBPIZEFioY
jZyZjF7fjBXusifunJ3xUeS8OPvuu3zgRWx9vAeM1s19BYoRO2mRImkp8X/9foTm
oEvp4zkGPklYTe548LwdxWuSnCV4CjV+GHZ81HvsVINe0S656PHTkyEVDS7BDBSc
peF/tv9p3i7ZVMOj5yAaLgjfRYBla9p0jEroTmiYbjsnpPhrO5brXP2NRnPRXXjv
JMxEPsggttwWle8gUG9ZmIaeG1jfeCrQEO7hBTaP+Ku7njfuGRmWKx8g0VPOQm7N
5eBMvY0BQ62AqABJtf5CsSylOHqatbL/6LoaiO3XJ1U9gZOlab1HLKr3UqynNw+L
nBWUuc9GFdus7JRjtmO3+CrXb3G5DMzFvE48j9a3rUmbZhUeJMM1WwWf/DuMn3Be
9j+2Pjp1qLlRPFltNozQTCfRvPYyq/xjdLNws7qc88Jdk7j2hAU=
=w6NW
-----END PGP SIGNATURE-----
News for package expat
