Your message dated Tue, 16 Sep 2025 18:34:05 +0000
with message-id <[email protected]>
and subject line Bug#1115298: fixed in expat 2.7.2-1
has caused the Debian Bug report #1115298,
regarding expat: CVE-2025-59375
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1115298: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115298
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: expat
Version: 2.7.1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/libexpat/libexpat/issues/1018
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for expat.

CVE-2025-59375[0]:
| libexpat in Expat before 2.7.2 allows attackers to trigger large
| dynamic memory allocations via a small document that is submitted
| for parsing.

Fixes not merged (at time of writing), but mainly filling a BTS bug
for tracking already.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-59375
    https://www.cve.org/CVERecord?id=CVE-2025-59375
[1] https://github.com/libexpat/libexpat/issues/1018
[2] https://github.com/libexpat/libexpat/pull/1034

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: expat
Source-Version: 2.7.2-1
Done: Laszlo Boszormenyi (GCS) <[email protected]>

We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated expat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 16 Sep 2025 19:59:38 +0200
Source: expat
Architecture: source
Version: 2.7.2-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1115298
Changes:
 expat (2.7.2-1) unstable; urgency=high
 .
   * New upstream release:
     - fixes CVE-2025-59375: disallow use of disproportional amounts of
       dynamic memory from within an Expat parser (closes: #1115298).
   * Update fix-expat-cmake patch.
   * Update libexpat1 symbols.
   * Update Standards-Version to 4.7.2 .
Checksums-Sha1:
 8cd917fc72da099bd4f85da649a81886eaefab88 1964 expat_2.7.2-1.dsc
 a98c6a876dbe4700adb846d4886b308d80b345d9 8439887 expat_2.7.2.orig.tar.gz
 627a0f996e89e0bdf44828a66e0cbfc8103556eb 13356 expat_2.7.2-1.debian.tar.xz
Checksums-Sha256:
 3848a9d616595f9e135428438ab224cf180dcaf680e1fe4534a75161cf633dc4 1964 
expat_2.7.2-1.dsc
 d09e2dd23398805cec1bac2860304714c96dc2fde629a7a1a77d0880ab7cd242 8439887 
expat_2.7.2.orig.tar.gz
 b18eda5d9241854fd95f55279f0218645488bc904f8a5bd18f3a3d5e716a282e 13356 
expat_2.7.2-1.debian.tar.xz
Files:
 7903cf1aaa85b622b129c57ac312ff14 1964 text optional expat_2.7.2-1.dsc
 2f9776968172e360fbf385d99660ce28 8439887 text optional expat_2.7.2.orig.tar.gz
 4c95c171292ad98b6bc4695b3387e872 13356 text optional 
expat_2.7.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmjJqcoACgkQ3OMQ54ZM
yL8NhQ/9ExuRAb6BGq52bQKTcT0YsRWn+RdyL1TJ46cLDRAElhEDMUQ0KxW1qqGe
8yRLl/RfQY+iA+QwgMZ2PaeG8Z2cMy+UBtZHYlEGxfYFZo/az9eRli4pQ5Xp19E/
4AhFrz8FNNPX9OLjBfqdLpJ+jqfKbn8hjiIs6ge5OJeQPpNzu2YaNt47eJrz5whN
U8SJ2DsyJf0LFTlSn/kjb3zwU/2qEAK5Qub1NFsX1HMjFm9/Su+petxxDyUGY+uJ
Lyj6l1LLdExs/yybd3KR2onDdncVLDZ3suezWp6/vZHsVovChs1D5nXIhqlyratn
5DqQ26n3S1VmMHFZD5x0RVFaivtAT2dd27x2D3HwYYptgzb4o/ER3oJLxt95J6Hj
ZQaH/L7X858uhgYYXb44SY8rSpDHhvH8PxJ2le38fINI4HYTJ7VbS+VOYVuiEGJF
TQJELksyqEr+88BOjkYlGnyGLu+Wlf4i6Moq5NOlQtuzThEsya2RNNMUBbkxVTAH
b2GsIK7elvnuYRqZV4a4+beFxt8+V4mhMbmN9RobEgHbB761dAEOCxdyD0FwVVBv
dfgBzZpGroHOfcv35cCU27w0URPnwtKnLwZpO963oWb5JkUbooRTh2zXhSP5rzYi
e12p8G/U6s4JZltxcFmgY57v4A16kR/+Ubr2GbqcvIQz+ZtJOLQ=
=2w6D
-----END PGP SIGNATURE-----

Attachment: pgpEJcYn8sIdY.pgp
Description: PGP signature


--- End Message ---

Reply via email to