Release date:
2026-06-05 12:40:00 UTC
Description:
* SECURITY UPDATE: hash flooding via crafted XML caused by insufficient
entropy in the hash secret salt
- debian/patches/CVE-2026-41080.patch: migrate hash salt storage to a
full 128-bit struct sipkey and extract 16 bytes of entropy (instead of
4 to 8) in expat/lib/xmlparse.c; add XML_SetHashSalt16Bytes() API in
expat/lib/expat.h for supplying a full 128-bit salt
- debian/libexpat1.symbols: add new XML_SetHashSalt16Bytes symbol
- CVE-2026-41080
Updated packages:
-
expat_2.2.9-1ubuntu0.8+tuxcare.els5_amd64.deb
sha:c86a2e16527591ae6a5bca89e20e3485c8d499ac
-
libexpat1_2.2.9-1ubuntu0.8+tuxcare.els5_amd64.deb
sha:dacb13c0e967de17de9200f6e893e18fbba3d2f0
-
libexpat1-dev_2.2.9-1ubuntu0.8+tuxcare.els5_amd64.deb
sha:2197094b10da80c6c32b650aa165e62393d4f039
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
