[Git][security-tracker-team/security-tracker][master] Reserve DLA-4146-1 for libxml2
Thorsten Alteholz (@alteholz)
alteholz at debian.org
Wed Apr 30 18:33:16 BST 2025
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ce2abcdf by Thorsten Alteholz at 2025-04-30T19:33:04+02:00
Reserve DLA-4146-1 for libxml2
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -6447,7 +6447,6 @@ CVE-2025-3361 (The web service of iSherlock from HGiga has an OS Command Injecti
CVE-2025-32414 (In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memor ...)
- libxml2 <unfixed> (bug #1102521)
[bookworm] - libxml2 <no-dsa> (Minor issue)
- [bullseye] - libxml2 <postponed> (Minor issue, OOB read)
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
CVE-2025-32413 (Vulnerability-Lookup before 2.7.1 allows stored XSS via a user bio in ...)
NOT-FOR-US: Vulnerability-Lookup
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[30 Apr 2025] DLA-4146-1 libxml2 - security update
+ {CVE-2025-32414 CVE-2025-32415}
+ [bullseye] - libxml2 2.9.10+dfsg-6.7+deb11u7
[30 Apr 2025] DLA-4145-1 expat - security update
{CVE-2024-50602}
[bullseye] - expat 2.2.10-2+deb11u7
=====================================
data/dla-needed.txt
=====================================
@@ -181,9 +181,6 @@ libstring-compare-constanttime-perl (guilhem)
NOTE: 20250430: with it. At least not until we have either decided to revert the patch landing in trixie or accept
NOTE: 20250430: it. Context in https://github.com/hoytech/String-Compare-ConstantTime/pull/21
--
-libxml2 (Thorsten Alteholz)
- NOTE: 20250421: Added by Front-Desk (ta)
---
libxmltok (Thorsten Alteholz)
NOTE: 20250421: Added by Front-Desk (ta)
NOTE: 20250421: Also review all other expat CVEs. (bunk)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce2abcdfcf984fd32da57d851d3e040f163c4111
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce2abcdfcf984fd32da57d851d3e040f163c4111
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250430/29fd44c7/attachment.htm>
More information about the debian-security-tracker-commits
mailing list