Ithala leencwadi le-Expat 2.4.5, elisetyenziselwa ukwahlula ifomati ye-XML kwiiprojekthi ezininzi, kuquka i-Apache httpd, i-OpenOffice, i-LibreOffice, i-Firefox, i-Chromium, i-Python kunye ne-Wayland, isusa ubuthathaka obuhlanu obunobungozi, ezine ezinokuthi zivumele ukuba uququzelele ukuphunyezwa kwekhowudi yakho. xa kusetyenzwa idatha ye-XML eyenzelwe ngokukodwa kwizicelo usebenzisa i-libexpat. Kubuthathaka obubini, ukuxhaphazwa okusebenzayo kuxeliwe. Unokulandela upapasho lohlaziyo lwephakheji kunikezelo kula maphepha iDebian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux.
Ubuthathaka obuchongiweyo:
- I-CVE-2022-25235 -I-buffer iphuphuma ngenxa yokujonga ngendlela engalunganga yokufakwa kwekhowudi kwiimpawu ze-Unicode, ezinokukhokelela (kukho ukuxhaphaza) kwikhowudi yokuphunyezwa xa kusetyenzwa ngokulandelelana okufomathiweyo ngokukodwa kwe-2- kunye ne-3-byte ye-UTF-8 yamagama kwi-XML. amagama ethegi.
- I-CVE-2022-25236 -Ukwenzeka kokutshintshwa kwesithuba segama loonobumba abasihlukanisayo kumaxabiso eempawu ze "xmlns[:prefix]" kwi-URI. Ukuba semngciphekweni kukuvumela ukuba uququzelele ukuphunyezwa kwekhowudi xa ulungisa idatha yomhlaseli (i-exploit ikhona).
- I-CVE-2022-25313 Ukudinwa kwestakhi kwenzeka xa kwahlulahlula ibhloko "doctype" (DTD), njengoko kubonwa kwiifayile ezinkulu kuno-2 MB ezibandakanya inani elikhulu kakhulu lezibiyeli ezivulekileyo. Kungenzeka ukuba ubuthathaka bunokusetyenziswa ukuququzelela ukuphunyezwa kwekhowudi yomntu kwisistim.
- I-CVE-2022-25315 yinani elipheleleyo lokuphuphuma kwi-storeRawNames umsebenzi owenzeka kuphela kwiinkqubo ze-64-bit kwaye ufuna ukusetyenzwa kweegigabytes zedatha. Kungenzeka ukuba ubuthathaka bunokusetyenziswa ukuququzelela ukuphunyezwa kwekhowudi yomntu kwisistim.
- I-CVE-2022-25314 yi-integer overflow kumsebenzi we-copyString eyenzeka kuphela kwiinkqubo ze-64-bit kwaye ifuna i-gigabytes yokucubungula idatha. Ingxaki isenokukhokelela ekuyekisweni kwenkonzo.
umthombo: opennet.ru