OSG-SEC-2022-10-07 HIGH expat use-after-free
Dear OSG Security Contacts,
A use-after-free vulnerability was found in the expat library in the doContent function in xmlparse.c. The library is widely used by open source software. The vulnerability is outlined in CVE-2022-40674. 
Versions of expat before 2.4.9.
WHAT ARE THE VULNERABILITIES:
With this flaw, it is possible to create a situation in which parsing is suspended while substituting in an internal entity so that XML_ResumeParser directly uses the internalEntityProcessor as its processor. If the subsequent parse includes some unclosed tags, this will return without calling storeRawNames to ensure that the raw versions of the tag names are stored in memory other than the parse buffer itself. Issues occur if the parse buffer is changed or reallocated (for example, if processing a file line by line), problems occur. Using this vulnerability in the doContent function allows an attacker to triage a denial of service or potentially arbitrary code execution. 
WHAT YOU SHOULD DO:
Update affected systems as patches become available.
Sites running RHEL should see 
Sites running CentOS should also see 
Sites running Ubuntu should see 
Sites running Scientific Linux should see 
Sites running Debian should see 
Sites running RockyLinux should see 
Sites running Almalinux should see 
Please contact the OSG security team at sec[email protected] if you have any questions or concerns.
OSG Security Team