In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. Reference: https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43 https://github.com/libexpat/libexpat/issues/317 https://github.com/libexpat/libexpat/issues/342 https://github.com/libexpat/libexpat/pull/318
Created expat tracking bugs for this issue: Affects: fedora-all [bug 1752596] Created mingw-expat tracking bugs for this issue: Affects: fedora-all [bug 1752597]
Created mingw-expat tracking bugs for this issue: Affects: epel-7 [bug 1752598]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3210 https://access.redhat.com/errata/RHSA-2019:3210
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-15903
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3237 https://access.redhat.com/errata/RHSA-2019:3237
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:3756 https://access.redhat.com/errata/RHSA-2019:3756
This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat JBoss Enterprise Web Server 2 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Is there any plan to provide a patch for expat in RHEL7? Is it possible to use thunderbird patch for expat since both packages are affected and the ticket is closed by providing fir for thunderbird only. Also any mitigation steps.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 JBoss Core Services on RHEL 7 Via RHSA-2020:2644 https://access.redhat.com/errata/RHSA-2020:2644
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2020:2646 https://access.redhat.com/errata/RHSA-2020:2646
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3952 https://access.redhat.com/errata/RHSA-2020:3952
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4484 https://access.redhat.com/errata/RHSA-2020:4484