Bug#1088013: Request to update libxml2 library to fix CVE

To: "submit@bugs.debian.org" <submit@bugs.debian.org>
Subject: Bug#1088013: Request to update libxml2 library to fix CVE
From: Jay Pelletier <jpelletier@titaniumplatform.com>
Date: Thu, 21 Nov 2024 21:11:54 +0000
Message-id: <[🔎] SN6PR04MB48462BA904DADCAFAB5D486FAD222@SN6PR04MB4846.namprd04.prod.outlook.com>
Reply-to: Jay Pelletier <jpelletier@titaniumplatform.com>, 1088013@bugs.debian.org

Package: Bookworm

Version: 12.8

Hello,

I am requesting that the libxml2 library that is packaged with the latest version of Bookworm (12.8 as of Nov 21, 2024). The version being used is 2.9.14+dfsg-1.3~deb12u1. This version has high severity CVE-2024-25062 with it, however this has been fixed in newer versions of libxml2:

https://nvd.nist.gov/vuln/detail/CVE-2024-25062#range-13018875

The 2.9.x branch will never receive this fix so the only remedy is to upgrade to version at or after 2.12.5:

https://gitlab.gnome.org/GNOME/libxml2/-/issues/604

I see that Debian Trixie will be packaging a newer version of libxml2 (2.12.7+dfsg+really2.9.14-0.2+b1):

https://packages.debian.org/search?keywords=libxml2

Can this update be done in Bookworm as well to remove this CVE?

Best,

Jay

Reply to:

Prev by Date: Processing of nini_1.1.0+dfsg.3-1_source.changes
Next by Date: Processed: closing 1088013
Previous by thread: Processing of nini_1.1.0+dfsg.3-1_source.changes
Next by thread: Processed: closing 1088013
Index(es):
- Date
- Thread