During the month of September 2025 and on behalf of Freexian, I worked on the following: libxslt ------- Uploaded 1.1.34-4+deb11u3 and issued DLA-4309-1 (joint work with Jochen Sprickerhof). https://lists.debian.org/msgid-search/?m=aNUPj9LKku2yezG5@debian.org * CVE-2023-40403: Information disclosure vulnerability due to weak memory handling of generated-id(). * CVE-2025-7424: Type confusion vulnerability in xmlNode.psvi between stylesheet and source nodes. Uploaded 1.1.32-2.2~deb10u4 (buster) and 1.1.29-2.1+deb9u5 (stretch), and issued ELA-1525-1 (joint work with Jochen Sprickerhof). https://www.freexian.com/lts/extended/updates/ela-1525-1-libxslt/ Also, identified a regression in the versions uploaded to bookworm-security and trixie-security via DSA 5979-1, and prepared a debdiff for fixed versions (released by the security team as DSA 5979-2). https://lists.debian.org/msgid-search/E1uoGuq-0016Ys-1l@seger.debian.org libxml2 ------- Uploaded 2.9.10+dfsg-6.7+deb11u9 and issued DLA-4319-1. https://lists.debian.org/msgid-search/?m=aNxRzgh2G2ZFW5IB@debian.org * CVE-2025-9714: Stack overflow via crafted expressions due to uncontrolled recursion. * CVE-2025-7425: Heap-use-after-free in xmlFreeID() caused by `atype` corruption. While the vulnerability was reported against libxslt, the XSLT 1.0 processing library, it is now mitigated in this libxml2 version. Also, get in touch with the security team regarding potential issues with the versions uploaded to bookworm-security and trixie-security. Work for ELTS suites is ongoing, but I didn't issue an ELA for the above vulnerabilities yet. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
Attachment:
signature.asc
Description: PGP signature