CVE-2011-2188

NameCVE-2011-2188
DescriptionLuaExpat before 1.2.0 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs629225

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lua-expat (PTS)buster, bullseye1.3.0-4fixed
sid, trixie, bookworm1.5.1-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lua-expatsourcesqueeze1.2.0-0squeeze1
lua-expatsource(unstable)1.2.0-1low629225

Notes

[lenny] - lua-expat <no-dsa> (Minor issue)
Search for package or bug name: Reporting problems