[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian (E)LTS report for September 2025



During the month of September 2025 and on behalf of Freexian, I worked on the
following:

libxslt
-------

Uploaded 1.1.34-4+deb11u3 and issued DLA-4309-1 (joint work with Jochen Sprickerhof).
https://lists.debian.org/msgid-search/?m=aNUPj9LKku2yezG5@debian.org

  * CVE-2023-40403: Information disclosure vulnerability due to weak
    memory handling of generated-id().
  * CVE-2025-7424: Type confusion vulnerability in xmlNode.psvi between
    stylesheet and source nodes.

Uploaded 1.1.32-2.2~deb10u4 (buster) and 1.1.29-2.1+deb9u5 (stretch),
and issued ELA-1525-1 (joint work with Jochen Sprickerhof).
https://www.freexian.com/lts/extended/updates/ela-1525-1-libxslt/

Also, identified a regression in the versions uploaded to bookworm-security
and trixie-security via DSA 5979-1, and prepared a debdiff for fixed
versions (released by the security team as DSA 5979-2).
https://lists.debian.org/msgid-search/E1uoGuq-0016Ys-1l@seger.debian.org

libxml2
-------

Uploaded 2.9.10+dfsg-6.7+deb11u9 and issued DLA-4319-1.
https://lists.debian.org/msgid-search/?m=aNxRzgh2G2ZFW5IB@debian.org

  * CVE-2025-9714: Stack overflow via crafted expressions due to
    uncontrolled recursion.
  * CVE-2025-7425: Heap-use-after-free in xmlFreeID() caused by `atype`
    corruption.  While the vulnerability was reported against libxslt,
    the XSLT 1.0 processing library, it is now mitigated in this libxml2
    version.

Also, get in touch with the security team regarding potential issues
with the versions uploaded to bookworm-security and trixie-security.

Work for ELTS suites is ongoing, but I didn't issue an ELA for the above
vulnerabilities yet.

Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature


Reply to: