[Git][security-tracker-team/security-tracker][master] 3 commits: Note libxml2 mitigations for CVE-2025-7425 in libxslt

Fri Aug 29 19:41:10 BST 2025


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
de5fbcaf by Salvatore Bonaccorso at 2025-08-29T20:33:59+02:00
Note libxml2 mitigations for CVE-2025-7425 in libxslt

- - - - -
39fcd674 by Salvatore Bonaccorso at 2025-08-29T20:34:02+02:00
Add reference for libxslt only soluion for CVE-2025-7425

- - - - -
1063f3b5 by Salvatore Bonaccorso at 2025-08-29T20:40:32+02:00
Remove trailing empty line

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/next-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -13985,7 +13985,6 @@ CVE-2025-53862 (A flaw was found in Ansible. Three API endpoints are accessible
 CVE-2025-53861 (A flaw was found in Ansible. Sensitive cookies without security flags  ...)
 	NOT-FOR-US: Ansible Automation Platform
 CVE-2025-7425 (A flaw was found in libxslt where the attribute type, atype, flags are ...)
-	{DSA-5990-1}
 	- libxslt <unfixed> (bug #1109122)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2379274
 	NOTE: https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
@@ -13995,7 +13994,10 @@ CVE-2025-7425 (A flaw was found in libxslt where the attribute type, atype, flag
 	NOTE: and followups.
 	NOTE: Mitigated by https://gitlab.gnome.org/GNOME/libxml2/-/commit/9de92ed78d8495527c5d7a4d0cc76c1f83768195 (2.14)
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/f1e1f13b766eb580a8dcc0c4e7a447346dfd862e (master)
-	NOTE: Mitigation landed in sid in 2.14.5+dfsg-0.1
+	NOTE: Mitigation landed in sid in 2.14.5+dfsg-0.1. Additionally the update for libxml2 as provided
+	NOTE: via DSA 5990-1 (for trixie: 2.12.7+dfsg+really2.9.14-2.1+deb13u1, for bookworm
+	NOTE: 2.9.14+dfsg-1.3~deb12u4) mitigate the issue in trixie and bookworm.
+	NOTE: Potential libxslt-only solution: https://gitlab.gnome.org/GNOME/libxslt/-/issues/140#note_2513942
 CVE-2025-7424 (A flaw was found in the libxslt library. The same memory field, psvi,  ...)
 	{DSA-5979-1}
 	- libxslt 1.1.35-2 (bug #1109123)


=====================================
data/DSA/list
=====================================
@@ -2,7 +2,6 @@
 	{CVE-2023-46809 CVE-2024-21892 CVE-2024-22019 CVE-2024-22020 CVE-2024-22025 CVE-2024-27982 CVE-2024-27983 CVE-2025-47153}
 	[bookworm] - nodejs 18.20.4+dfsg-1~deb12u1
 [29 Aug 2025] DSA-5990-1 libxml2 - security update
-	{CVE-2025-7425}
 	[bookworm] - libxml2 2.9.14+dfsg-1.3~deb12u4
 	[trixie] - libxml2 2.12.7+dfsg+really2.9.14-2.1+deb13u1
 [28 Aug 2025] DSA-5989-1 udisks2 - security update


=====================================
data/next-point-update.txt
=====================================
@@ -59,4 +59,3 @@ CVE-2025-XXXX [OSSN-0094]
 	[trixie] - watcher 14.0.0-1+deb13u1
 CVE-2025-53859
 	[trixie] - nginx 1.26.3-3+deb13u1
-	



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a1ec9624da36e9ed68d266bb9bbef0932ed973bb...1063f3b503a58f89bb0dbae97507fdd724597fa9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a1ec9624da36e9ed68d266bb9bbef0932ed973bb...1063f3b503a58f89bb0dbae97507fdd724597fa9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250829/91f8a2e2/attachment-0001.htm>
