[EXT] Re: Re: [xsde-users] Codesynthesis XSDE security vulnerabilities database

Yegnaram, Shrikant SYegnaram at cls-bank.com
Thu Dec 12 14:52:21 EST 2024 

Hello Boris

Greetings.
Starting this thread again, since we have a follow up query

There are bunch of vulnerabilities listed on nvd website for 2.1 expat release.
https://nvd.nist.gov/vuln/search/results?isCpeNameSearch+AD0-true+ACY-query+AD0-cpe+ACU-3A2.3+ACU-3Aa+ACU-3Alibexpat+AF8-project+ACU-3Alibexpat+ACU-3A2.1.0+ACU-3A+ACoAJQ-3A+ACoAJQ-3A+ACoAJQ-3A+ACoAJQ-3A+ACoAJQ-3A+ACoAJQ-3A+ACoAJg-orderBy+AD0-publishDate+ACY-orderDir+AD0-desc+ACY-startIndex+AD0-0

Specifically looking if CVE-2016-0718 for expat was fixed in Codesynthesis XSD/e 3.2.0 release?
If not, what is the plan for a new XSD/e release with the fixes for libexpat vulnerabilities.


Thanks,
Shrikant Yegnaram


Confidential Information
-----Original Message-----
From: Boris Kolpackov +ADw-boris+AEA-codesynthesis.com+AD4
Sent: Thursday, February 22, 2024 4:06 AM
To: Yegnaram, Shrikant +ADw-SYegnaram+AEA-cls-bank.com+AD4
Cc: xsde-users+AEA-codesynthesis.com
Subject: +AFs-EXT+AF0 Re: Re: +AFs-xsde-users+AF0 Codesynthesis XSDE security vulnerabilities database

+ADw-div align+AD0-left+AD4APA-table class+AD0-MsoNormalTable border+AD0-0 cellspacing+AD0-0 cellpadding+AD0-0 align+AD0-left+AD4APA-tr+AD4APA-td width+AD0-100+ACU style+AD0'width:100+ACUAOw-border-top:solid +ACM-E32719 3.0pt+ADs-border-left:none+ADs-border-bottom:solid +ACM-E32719 3.0pt+ADs-border-right:none+ADs-padding:0in 0in 0in 0in+ADs-background:+ACM-E1E73C+ADs'+AD4APA-p class+AD0-MsoNormal align+AD0-left style+AD0'text-align:left'+AD4APA-b+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-CF4520'+AD4-Be careful with this message: +ADw-/span+AD4APA-/b+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-C00000'+AD4APA-/span+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-002855'+AD4-it has been sent from an +ADw-b+AD4-external+ADw-/b+AD4 email address. +ADw-br+AD4-Do not open attachments or click links from unknown senders or unexpected email.+ADw-/span+AD4APA-/p+AD4APA-/td+AD4APA-/tr+AD4APA-/table+AD4APA-/div+AD4
Yegnaram, Shrikant +ADw-SYegnaram+AEA-cls-bank.com+AD4 writes:

+AD4 Can you also share the version of expat that CXSDE uses.

It is version 2.1 with a number of bug fixes backported from later versions. The +ACI-upstream+ACI (with regards to libxsde) for this works lives here:

https://github.com/boris-kolpackov/libexpat/tree/2.1

To preempts the question why not upgrade to the latest expat, the reason is that later versions started sacrificing portability in the name of security (like depending on platform-specific date/time functions for hash seeds) which we cannot afford in XSD/e.


+AD4 Can you also notify here if and when you happen to publish any
+AD4 vulnerabilites to mitre.org.

Yes, will do.
+ACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAq
WARNING: This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

E-mails are not encrypted and cannot be guaranteed to be secure or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender 
therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of this e-mail transmission. If verification is required, please request a hard copy version.

CLS is committed to protecting and safeguarding your personal data. Our privacy notice (https://www.cls-group.com/privacy) provides you with information about how we process and protect your personal data.
We aim to ensure direct marketing is reasonable, proportionate and of relevance to you. However, if you no longer want to receive direct marketing from us please email dpo+AEA-cls-services.com

More information about the xsde-users mailing list