The update for expat released as DSA 5085-1 introduced regressions for applications using URI characters (':' in particular) for a namespace
separator (while the HTML API docs of function XML_ParserCreateNS have
been advising against their use). Updated expat packages are now
available which relax the fix for CVE-2022-25236 with regard to RFC 3986
For the oldstable distribution (buster), this problem has been fixed
in version 2.2.6-2+deb10u4.
For the stable distribution (bullseye), this problem has been fixed in
We recommend that you upgrade your expat packages.