Package: xotcl Version: 1.6.1-1 Severity: important Tags: security
Xotcl uses an embedded and vulnerable version of the expat library for XML parsing. At a minimum, http://security-tracker.debian.org/tracker/CVE-2009-3720 is present from having a quick review of the relevant source. I have not investigated the impact of this vulnerability or how it would be triggered. I imagine the impact is quite low because the outstanding vulnerabilities in expat are denial of services. The desired outcome is that xotcl dynamically link against the system expat library instead of linking in the embedded copy.

