During the month of September 2025 and on behalf of Freexian, I worked on the
following:
libxslt
-------
Uploaded 1.1.34-4+deb11u3 and issued DLA-4309-1 (joint work with Jochen Sprickerhof).
https://lists.debian.org/msgid-search/?m=aNUPj9LKku2yezG5@debian.org
* CVE-2023-40403: Information disclosure vulnerability due to weak
memory handling of generated-id().
* CVE-2025-7424: Type confusion vulnerability in xmlNode.psvi between
stylesheet and source nodes.
Uploaded 1.1.32-2.2~deb10u4 (buster) and 1.1.29-2.1+deb9u5 (stretch),
and issued ELA-1525-1 (joint work with Jochen Sprickerhof).
https://www.freexian.com/lts/extended/updates/ela-1525-1-libxslt/
Also, identified a regression in the versions uploaded to bookworm-security
and trixie-security via DSA 5979-1, and prepared a debdiff for fixed
versions (released by the security team as DSA 5979-2).
https://lists.debian.org/msgid-search/E1uoGuq-0016Ys-1l@seger.debian.org
libxml2
-------
Uploaded 2.9.10+dfsg-6.7+deb11u9 and issued DLA-4319-1.
https://lists.debian.org/msgid-search/?m=aNxRzgh2G2ZFW5IB@debian.org
* CVE-2025-9714: Stack overflow via crafted expressions due to
uncontrolled recursion.
* CVE-2025-7425: Heap-use-after-free in xmlFreeID() caused by `atype`
corruption. While the vulnerability was reported against libxslt,
the XSLT 1.0 processing library, it is now mitigated in this libxml2
version.
Also, get in touch with the security team regarding potential issues
with the versions uploaded to bookworm-security and trixie-security.
Work for ELTS suites is ongoing, but I didn't issue an ELA for the above
vulnerabilities yet.
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature