Package: release.debian.org Severity: normal Tags: bookworm moreinfo X-Debbugs-Cc: libxml2@packages.debian.org Control: affects -1 + src:libxml2 User: release.debian.org@packages.debian.org Usertags: pu [ Reason ] Fix <no-dsa> security issues CVE-2025-6021, CVE-2025-6170, CVE-2025-49794 and CVE-2025-49796. [ Impact ] User will remain vulnerable to the aforementioned issues. Upgrading users might regress as the issues are fixed in Bullseye LTS. [ Tests ] Manual bound checks, manual run of the upstream test suite and schematron tests. [ Risks ] Low risk: all patches come from upstream and the versions backported to upstream's 2.13 branch trivially applies to 2.9.14+dfsg-1.3~deb12u2. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [ ] the issue is verified as fixed in unstable [ Changes ] * Fix CVE-2025-6021: Integer overflow issue in xmlBuildQName. * Fix CVE-2025-6170: Potential buffer overflows in the interactive shell. * Fix CVE-2025-49794: Use-after-free issue in xmlSchematronReportOutput. * Fix CVE-2025-49796: Type confusion issue in xmlSchematronReportOutput. [ Other info ] The fix for CVE-2025-6170 is not fixed in sid yet, tagging #-1 as moreinfo in the meantime. debdiff sent to maintainer, will NMU if no one objects to it. The other CVEs are fixed in sid already. -- Guilhem.
Attachment:
signature.asc
Description: PGP signature