Hi all, An update for expat (landed in unstable earlier) and now as DSA 5085-2 for buster and bullseye as well is released which relaxes the fix for CVE-2022-25236 with regard to RFC 3986 URI characters.
So there is no immediate action for updating the affected packages from regressions ins buster and bulleye. For unstable (and bookworm) given the API docs of function XML_ParserCreateNS do advise against using URI characters in namespace searators and expat might be stricter in future about their use, it's still recomended to address these isses (I see biboumi in fact did already in #1006333, thanks Jonas, Slavko and Diane). Regards, Salvatore