The update for expat released as DSA 5085-1 introduced regressions for applications using URI characters for a namespace separator . Updated expat packages are now available which relax the fix for CVE-2022-25236 with regard to RFC 3986 URI characters. For the oldstable distribution , this problem has been fixed in version 2.2.6-2+deb10u4.