Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Expat XML Parser Patches Critical, Long-Standing Vulnerability: A Decade-Long Battle

2025-03-13

After two and a half years of effort, a critical vulnerability (CVE-2024-8176) in the Expat XML parser has finally been patched. The vulnerability, stemming from recursive calls potentially leading to stack overflows and denial-of-service attacks, was addressed in version 2.7.0. Maintainer Sebastian Pipping, after reaching out to numerous companies for assistance, collaborated with Siemens and others for ten months to resolve three variants of the issue. The release also includes other improvements, such as a new fuzzer and 64-bit Windows binaries. This story serves as a reminder of the hidden security risks even in seemingly simple programming techniques, and the importance of open-source community collaboration.

Read more
(blog.hartwork.org)
Development XML parser open-source security

78% of Hardware Companies Lack Security.txt

2025-03-03

A developer maintaining a public list of companies using libexpat in hardware found that 78% (39 out of 50) of the companies tested in 2025 did not serve a /.well-known/security.txt file as specified by RFC 9116. This reveals a concerning lack of proactive security posture in many companies, making it difficult to contact their security teams. The author urges affected companies to fix this issue and share a link to securitytxt.org.

Read more
(blog.hartwork.org)
Hardware security.txt