[Git][security-tracker-team/security-tracker][master] Drop libxml2 entries, they got implicitly already included with last DSA

Salvatore Bonaccorso (@carnil) carnil at debian.org
Mon Sep 1 20:41:47 BST 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
03fe2c44 by Salvatore Bonaccorso at 2025-09-01T21:40:35+02:00
Drop libxml2 entries, they got implicitly already included with last DSA

Add as well the explicit tracking for the bookworm entires. Choose the
+deb12u3 version as this got accepted into the archive implicilty, both
via acceptance for 12.12 but then superseeded by the +deb12u4 upload.

- - - - -


2 changed files:

- data/CVE/list
- data/next-oldstable-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -23419,6 +23419,7 @@ CVE-2025-6172 (Permission vulnerability in the mobile application (com.afmobi.bo
 CVE-2025-6170 (A flaw was found in the interactive shell of the xmllint command-line  ...)
 	{DLA-4251-1}
 	- libxml2 2.12.7+dfsg+really2.9.14-2.1 (bug #1107938; unimportant)
+	[bookworm] - libxml2 2.9.14+dfsg-1.3~deb12u3
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/941
 	NOTE: Crash in CLI tool, no security impact
 	NOTE: Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/c340e419505cf4bf1d9ed7019a87cc00ec200434 (2.14)
@@ -23911,7 +23912,7 @@ CVE-2024-38822 (Multiple methods in the salt master skip minion token validation
 CVE-2025-49794 (A use-after-free vulnerability was found in libxml2. This issue occurs ...)
 	{DLA-4251-1}
 	- libxml2 2.12.7+dfsg+really2.9.14-2 (bug #1107755)
-	[bookworm] - libxml2 <postponed> (Minor issue; revisit when fixed upstream)
+	[bookworm] - libxml2 2.9.14+dfsg-1.3~deb12u3
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/931
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b
 CVE-2025-49795 (A NULL pointer dereference vulnerability was found in libxml2 when pro ...)
@@ -23924,7 +23925,7 @@ CVE-2025-49795 (A NULL pointer dereference vulnerability was found in libxml2 wh
 CVE-2025-49796 (A vulnerability was found in libxml2. Processing certain sch:name elem ...)
 	{DLA-4251-1}
 	- libxml2 2.12.7+dfsg+really2.9.14-2 (bug #1107752)
-	[bookworm] - libxml2 <no-dsa> (Minor issue)
+	[bookworm] - libxml2 2.9.14+dfsg-1.3~deb12u3
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/933
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b
 CVE-2025-6031 (Amazon Cloud Cam is a home security camera that was deprecated on Dece ...)
@@ -23932,7 +23933,7 @@ CVE-2025-6031 (Amazon Cloud Cam is a home security camera that was deprecated on
 CVE-2025-6021 (A flaw was found in libxml2's xmlBuildQName function, where integer ov ...)
 	{DLA-4251-1}
 	- libxml2 2.12.7+dfsg+really2.9.14-2 (bug #1107720)
-	[bookworm] - libxml2 <no-dsa> (Minor issue; does not affect the parser code)
+	[bookworm] - libxml2 2.9.14+dfsg-1.3~deb12u3
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/926
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/ad346c9a249c4b380bf73c460ad3e81135c5d781 (master)
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0 (2.14-branch)


=====================================
data/next-oldstable-point-update.txt
=====================================
@@ -244,14 +244,6 @@ CVE-2021-46312
 	[bookworm] - djvulibre 3.5.28-2.2~deb12u1
 CVE-2025-8058
 	[bookworm] - glibc 2.36-9+deb12u13
-CVE-2025-6021
-	[bookworm] - libxml2 2.9.14+dfsg-1.3~deb12u3
-CVE-2025-6170
-	[bookworm] - libxml2 2.9.14+dfsg-1.3~deb12u3
-CVE-2025-49794
-	[bookworm] - libxml2 2.9.14+dfsg-1.3~deb12u3
-CVE-2025-49796
-	[bookworm] - libxml2 2.9.14+dfsg-1.3~deb12u3
 CVE-2024-42516
 	[bookworm] - apache2 2.4.65-1~deb12u1
 CVE-2024-43204



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03fe2c4431f2dfdc6e99b79f73da0db4aff65a54

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03fe2c4431f2dfdc6e99b79f73da0db4aff65a54
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250901/5e81f201/attachment.htm>

More information about the debian-security-tracker-commits mailing list