Introduced through:
- github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.14.0
+ docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine.
+ See How to fix? for Alpine:3.20 relevant fixed versions and status.
+
Issue summary: Applications performing certificate name checks (e.g., TLS
+ clients checking server certificates) may attempt to read an invalid memory
+ address resulting in abnormal termination of the application process.
+
Impact summary: Abnormal termination of an application can a cause a denial of
+ service.
+
Applications performing certificate name checks (e.g., TLS clients checking
+ server certificates) may attempt to read an invalid memory address when
+ comparing the expected name with an otherName subject alternative name of an
+ X.509 certificate. This may result in an exception that terminates the
+ application program.
+
Note that basic certificate chain validation (signatures, dates, ...) is not
+ affected, the denial of service can occur only when the application also
+ specifies an expected DNS name, Email address or IP address.
+
TLS servers rarely solicit client certificates, and even when they do, they
+ generally don't perform a name check against a reference identifier (expected
+ identity), but rather extract the presented identity after checking the
+ certificate chain. So TLS servers are generally not affected and the severity
+ of the issue is Moderate.
+
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.20openssl to version 3.3.2-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine.
+ See How to fix? for Alpine:3.20 relevant fixed versions and status.
+
Issue summary: Applications performing certificate name checks (e.g., TLS
+ clients checking server certificates) may attempt to read an invalid memory
+ address resulting in abnormal termination of the application process.
+
Impact summary: Abnormal termination of an application can a cause a denial of
+ service.
+
Applications performing certificate name checks (e.g., TLS clients checking
+ server certificates) may attempt to read an invalid memory address when
+ comparing the expected name with an otherName subject alternative name of an
+ X.509 certificate. This may result in an exception that terminates the
+ application program.
+
Note that basic certificate chain validation (signatures, dates, ...) is not
+ affected, the denial of service can occur only when the application also
+ specifies an expected DNS name, Email address or IP address.
+
TLS servers rarely solicit client certificates, and even when they do, they
+ generally don't perform a name check against a reference identifier (expected
+ identity), but rather extract the presented identity after checking the
+ certificate chain. So TLS servers are generally not affected and the severity
+ of the issue is Moderate.
+
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.20openssl to version 3.3.2-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
+
Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.
+
Remediation
+
There is no fixed version for Ubuntu:24.04openssl.
Note:Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
+
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
Note:Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
+
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
Note:Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
+
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to not sanitizing urls when writing them to the log file. This could lead to an attacker writing sensitive HTTP basic auth credentials to the log file.
-
Remediation
-
Upgrade github.com/hashicorp/go-retryablehttp to version 0.7.7 or higher.
Introduced through:
- github.com/hairyhenderson/gomplate/v3@* and github.com/gosimple/slug@v1.12.0
+ github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/go-retryablehttp@v0.7.1
Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to not sanitizing urls when writing them to the log file. This could lead to an attacker writing sensitive HTTP basic auth credentials to the log file.
+
Remediation
+
Upgrade github.com/hashicorp/go-retryablehttp to version 0.7.7 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Applications performing certificate name checks (e.g., TLS
+ clients checking server certificates) may attempt to read an invalid memory
+ address resulting in abnormal termination of the application process.
+
Impact summary: Abnormal termination of an application can a cause a denial of
+ service.
+
Applications performing certificate name checks (e.g., TLS clients checking
+ server certificates) may attempt to read an invalid memory address when
+ comparing the expected name with an otherName subject alternative name of an
+ X.509 certificate. This may result in an exception that terminates the
+ application program.
+
Note that basic certificate chain validation (signatures, dates, ...) is not
+ affected, the denial of service can occur only when the application also
+ specifies an expected DNS name, Email address or IP address.
+
TLS servers rarely solicit client certificates, and even when they do, they
+ generally don't perform a name check against a reference identifier (expected
+ identity), but rather extract the presented identity after checking the
+ certificate chain. So TLS servers are generally not affected and the severity
+ of the issue is Moderate.
+
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.7-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Applications performing certificate name checks (e.g., TLS
+ clients checking server certificates) may attempt to read an invalid memory
+ address resulting in abnormal termination of the application process.
+
Impact summary: Abnormal termination of an application can a cause a denial of
+ service.
+
Applications performing certificate name checks (e.g., TLS clients checking
+ server certificates) may attempt to read an invalid memory address when
+ comparing the expected name with an otherName subject alternative name of an
+ X.509 certificate. This may result in an exception that terminates the
+ application program.
+
Note that basic certificate chain validation (signatures, dates, ...) is not
+ affected, the denial of service can occur only when the application also
+ specifies an expected DNS name, Email address or IP address.
+
TLS servers rarely solicit client certificates, and even when they do, they
+ generally don't perform a name check against a reference identifier (expected
+ identity), but rather extract the presented identity after checking the
+ certificate chain. So TLS servers are generally not affected and the severity
+ of the issue is Moderate.
+
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.7-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
+
Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.
+
Remediation
+
There is no fixed version for Ubuntu:22.04openssl.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
+
Issue summary: Applications performing certificate name checks (e.g., TLS
+ clients checking server certificates) may attempt to read an invalid memory
+ address resulting in abnormal termination of the application process.
+
Impact summary: Abnormal termination of an application can a cause a denial of
+ service.
+
Applications performing certificate name checks (e.g., TLS clients checking
+ server certificates) may attempt to read an invalid memory address when
+ comparing the expected name with an otherName subject alternative name of an
+ X.509 certificate. This may result in an exception that terminates the
+ application program.
+
Note that basic certificate chain validation (signatures, dates, ...) is not
+ affected, the denial of service can occur only when the application also
+ specifies an expected DNS name, Email address or IP address.
+
TLS servers rarely solicit client certificates, and even when they do, they
+ generally don't perform a name check against a reference identifier (expected
+ identity), but rather extract the presented identity after checking the
+ certificate chain. So TLS servers are generally not affected and the severity
+ of the issue is Moderate.
+
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
+
Remediation
+
Upgrade Ubuntu:22.04openssl to version 3.0.2-0ubuntu1.18 or higher.
Note:Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu.
- See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.
-
Remediation
-
Upgrade Ubuntu:22.04krb5 to version 1.19.2-2ubuntu0.4 or higher.
Note:Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
+
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.
+
Remediation
+
Upgrade Ubuntu:22.04krb5 to version 1.19.2-2ubuntu0.4 or higher.
Note:Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
+
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
Note:Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
+
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
Note:Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
+
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to not sanitizing urls when writing them to the log file. This could lead to an attacker writing sensitive HTTP basic auth credentials to the log file.
-
Remediation
-
Upgrade github.com/hashicorp/go-retryablehttp to version 0.7.7 or higher.
Introduced through:
- github.com/hairyhenderson/gomplate/v3@* and github.com/gosimple/slug@v1.12.0
+ github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/go-retryablehttp@v0.7.1
Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to not sanitizing urls when writing them to the log file. This could lead to an attacker writing sensitive HTTP basic auth credentials to the log file.
+
Remediation
+
Upgrade github.com/hashicorp/go-retryablehttp to version 0.7.7 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine.
+ See How to fix? for Alpine:3.19 relevant fixed versions and status.
+
Issue summary: Applications performing certificate name checks (e.g., TLS
+ clients checking server certificates) may attempt to read an invalid memory
+ address resulting in abnormal termination of the application process.
+
Impact summary: Abnormal termination of an application can a cause a denial of
+ service.
+
Applications performing certificate name checks (e.g., TLS clients checking
+ server certificates) may attempt to read an invalid memory address when
+ comparing the expected name with an otherName subject alternative name of an
+ X.509 certificate. This may result in an exception that terminates the
+ application program.
+
Note that basic certificate chain validation (signatures, dates, ...) is not
+ affected, the denial of service can occur only when the application also
+ specifies an expected DNS name, Email address or IP address.
+
TLS servers rarely solicit client certificates, and even when they do, they
+ generally don't perform a name check against a reference identifier (expected
+ identity), but rather extract the presented identity after checking the
+ certificate chain. So TLS servers are generally not affected and the severity
+ of the issue is Moderate.
+
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.19openssl to version 3.1.7-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine.
+ See How to fix? for Alpine:3.18 relevant fixed versions and status.
+
Issue summary: Applications performing certificate name checks (e.g., TLS
+ clients checking server certificates) may attempt to read an invalid memory
+ address resulting in abnormal termination of the application process.
+
Impact summary: Abnormal termination of an application can a cause a denial of
+ service.
+
Applications performing certificate name checks (e.g., TLS clients checking
+ server certificates) may attempt to read an invalid memory address when
+ comparing the expected name with an otherName subject alternative name of an
+ X.509 certificate. This may result in an exception that terminates the
+ application program.
+
Note that basic certificate chain validation (signatures, dates, ...) is not
+ affected, the denial of service can occur only when the application also
+ specifies an expected DNS name, Email address or IP address.
+
TLS servers rarely solicit client certificates, and even when they do, they
+ generally don't perform a name check against a reference identifier (expected
+ identity), but rather extract the presented identity after checking the
+ certificate chain. So TLS servers are generally not affected and the severity
+ of the issue is Moderate.
+
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.18openssl to version 3.1.7-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
+
Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.
+
Remediation
+
There is no fixed version for Ubuntu:22.04openssl.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
+
Issue summary: Applications performing certificate name checks (e.g., TLS
+ clients checking server certificates) may attempt to read an invalid memory
+ address resulting in abnormal termination of the application process.
+
Impact summary: Abnormal termination of an application can a cause a denial of
+ service.
+
Applications performing certificate name checks (e.g., TLS clients checking
+ server certificates) may attempt to read an invalid memory address when
+ comparing the expected name with an otherName subject alternative name of an
+ X.509 certificate. This may result in an exception that terminates the
+ application program.
+
Note that basic certificate chain validation (signatures, dates, ...) is not
+ affected, the denial of service can occur only when the application also
+ specifies an expected DNS name, Email address or IP address.
+
TLS servers rarely solicit client certificates, and even when they do, they
+ generally don't perform a name check against a reference identifier (expected
+ identity), but rather extract the presented identity after checking the
+ certificate chain. So TLS servers are generally not affected and the severity
+ of the issue is Moderate.
+
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
+
Remediation
+
Upgrade Ubuntu:22.04openssl to version 3.0.2-0ubuntu1.18 or higher.
Note:Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu.
- See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
-
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.
-
Remediation
-
Upgrade Ubuntu:22.04krb5 to version 1.19.2-2ubuntu0.4 or higher.
Note:Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
+
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.
+
Remediation
+
Upgrade Ubuntu:22.04krb5 to version 1.19.2-2ubuntu0.4 or higher.
Note:Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
+
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
Note:Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
+
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
Note:Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
+
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to not sanitizing urls when writing them to the log file. This could lead to an attacker writing sensitive HTTP basic auth credentials to the log file.
-
Remediation
-
Upgrade github.com/hashicorp/go-retryablehttp to version 0.7.7 or higher.
Introduced through:
- github.com/hairyhenderson/gomplate/v3@* and github.com/gosimple/slug@v1.12.0
+ github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/go-retryablehttp@v0.7.1
Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to not sanitizing urls when writing them to the log file. This could lead to an attacker writing sensitive HTTP basic auth credentials to the log file.
+
Remediation
+
Upgrade github.com/hashicorp/go-retryablehttp to version 0.7.7 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine.
+ See How to fix? for Alpine:3.19 relevant fixed versions and status.
+
Issue summary: Applications performing certificate name checks (e.g., TLS
+ clients checking server certificates) may attempt to read an invalid memory
+ address resulting in abnormal termination of the application process.
+
Impact summary: Abnormal termination of an application can a cause a denial of
+ service.
+
Applications performing certificate name checks (e.g., TLS clients checking
+ server certificates) may attempt to read an invalid memory address when
+ comparing the expected name with an otherName subject alternative name of an
+ X.509 certificate. This may result in an exception that terminates the
+ application program.
+
Note that basic certificate chain validation (signatures, dates, ...) is not
+ affected, the denial of service can occur only when the application also
+ specifies an expected DNS name, Email address or IP address.
+
TLS servers rarely solicit client certificates, and even when they do, they
+ generally don't perform a name check against a reference identifier (expected
+ identity), but rather extract the presented identity after checking the
+ certificate chain. So TLS servers are generally not affected and the severity
+ of the issue is Moderate.
+
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.19openssl to version 3.1.7-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine.
+ See How to fix? for Alpine:3.20 relevant fixed versions and status.
+
Issue summary: Applications performing certificate name checks (e.g., TLS
+ clients checking server certificates) may attempt to read an invalid memory
+ address resulting in abnormal termination of the application process.
+
Impact summary: Abnormal termination of an application can a cause a denial of
+ service.
+
Applications performing certificate name checks (e.g., TLS clients checking
+ server certificates) may attempt to read an invalid memory address when
+ comparing the expected name with an otherName subject alternative name of an
+ X.509 certificate. This may result in an exception that terminates the
+ application program.
+
Note that basic certificate chain validation (signatures, dates, ...) is not
+ affected, the denial of service can occur only when the application also
+ specifies an expected DNS name, Email address or IP address.
+
TLS servers rarely solicit client certificates, and even when they do, they
+ generally don't perform a name check against a reference identifier (expected
+ identity), but rather extract the presented identity after checking the
+ certificate chain. So TLS servers are generally not affected and the severity
+ of the issue is Moderate.
+
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
+
Remediation
+
Upgrade Alpine:3.20openssl to version 3.3.2-r0 or higher.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
+
Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.
+
Remediation
+
There is no fixed version for Ubuntu:24.04openssl.
Note:Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
+
Issue summary: Applications performing certificate name checks (e.g., TLS
+ clients checking server certificates) may attempt to read an invalid memory
+ address resulting in abnormal termination of the application process.
+
Impact summary: Abnormal termination of an application can a cause a denial of
+ service.
+
Applications performing certificate name checks (e.g., TLS clients checking
+ server certificates) may attempt to read an invalid memory address when
+ comparing the expected name with an otherName subject alternative name of an
+ X.509 certificate. This may result in an exception that terminates the
+ application program.
+
Note that basic certificate chain validation (signatures, dates, ...) is not
+ affected, the denial of service can occur only when the application also
+ specifies an expected DNS name, Email address or IP address.
+
TLS servers rarely solicit client certificates, and even when they do, they
+ generally don't perform a name check against a reference identifier (expected
+ identity), but rather extract the presented identity after checking the
+ certificate chain. So TLS servers are generally not affected and the severity
+ of the issue is Moderate.
+
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
+
Remediation
+
Upgrade Ubuntu:24.04openssl to version 3.0.13-0ubuntu3.4 or higher.
Note:Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
+
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
Note:Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
+
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
Note:Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
+ See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
+
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).