[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1109947: bookworm-pu: package libxml2/2.9.14+dfsg-1.3~deb12u3



Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
X-Debbugs-Cc: libxml2@packages.debian.org
Control: affects -1 + src:libxml2
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]

Fix <no-dsa> security issues CVE-2025-6021, CVE-2025-6170,
CVE-2025-49794 and CVE-2025-49796.

[ Impact ]

User will remain vulnerable to the aforementioned issues.  Upgrading
users might regress as the issues are fixed in Bullseye LTS.

[ Tests ]

Manual bound checks, manual run of the upstream test suite and
schematron tests.

[ Risks ]

Low risk: all patches come from upstream and the versions backported to
upstream's 2.13 branch trivially applies to 2.9.14+dfsg-1.3~deb12u2.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [ ] the issue is verified as fixed in unstable

[ Changes ]

  * Fix CVE-2025-6021: Integer overflow issue in xmlBuildQName.
  * Fix CVE-2025-6170: Potential buffer overflows in the interactive shell.
  * Fix CVE-2025-49794: Use-after-free issue in xmlSchematronReportOutput.
  * Fix CVE-2025-49796: Type confusion issue in xmlSchematronReportOutput.

[ Other info ]

The fix for CVE-2025-6170 is not fixed in sid yet, tagging #-1 as
moreinfo in the meantime.  debdiff sent to maintainer, will NMU if no
one objects to it.  The other CVEs are fixed in sid already.

-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature


Reply to: