[Git][security-tracker-team/security-tracker][master] Update status for two libxml-parser-perl issues
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Mar 21 06:23:01 GMT 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
25a85070 by Salvatore Bonaccorso at 2026-03-21T07:22:26+01:00
Update status for two libxml-parser-perl issues
For CVE-2006-10002, after discussion with Timothy Legge, 56b0509dfc6b
("Fix a buffer overwrite in parse_stream()") did already fix the issue
in 2018 and applied in upstream 2.45. The current version can be
consideered a followup which improve the fix. But we can track the issue
as fixed with 2018 commit again.
As for CVE-2006-10003, the test case does not correctly replicate the
problem but is still present and fixed with the referenced commit.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -921680,17 +921680,22 @@ CVE-2006-3972 (Directory traversal vulnerability in includes/operator_chattransc
CVE-2006-3971 (Cross-site scripting (XSS) vulnerability in visitor/livesupport/chat.p ...)
NOT-FOR-US: Ajax Chat
CVE-2006-10002 (XML::Parser versions through 2.47 for Perl could overflow the pre-allo ...)
- - libxml-parser-perl 2.34-4.2 (bug #378411; medium)
+ - libxml-parser-perl 2.46-1 (bug #378411; medium)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/38106361/
NOTE: https://rt.cpan.org/Ticket/Display.html?id=19859
NOTE: https://github.com/cpan-authors/XML-Parser/issues/64
- NOTE: Fixed by: https://github.com/cpan-authors/XML-Parser/commit/5361c2b7f48599718cdecbe50c5fdd88b28ffd79 (2.48)
+ NOTE: Fixed by: https://github.com/cpan-authors/XML-Parser/commit/56b0509dfc6b559cd7555ea81ee62e3622069255 (2.45)
+ NOTE: Additional improvement: https://github.com/cpan-authors/XML-Parser/commit/5361c2b7f48599718cdecbe50c5fdd88b28ffd79 (2.48)
+ NOTE: Issue was originally fixed in 2.34-4.2 but was lost with the 2.40-1 rebases.
CVE-2006-10003 (XML::Parser versions through 2.47 for Perl has an off-by-one heap buff ...)
- - libxml-parser-perl 2.34-4.1 (bug #378412; medium)
+ - libxml-parser-perl <unfixed> (bug #378412; medium)
+ [trixie] - libxml-parser-perl <no-dsa> (Minor issue, can be fixed later via point release)
+ [bookworm] - ibxml-parser-perl <no-dsa> (Minor issue, can be fixed later via point release)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/38106362/
NOTE: https://rt.cpan.org/Ticket/Display.html?id=19860
NOTE: https://github.com/cpan-authors/XML-Parser/issues/39
NOTE: Fixed by: https://github.com/cpan-authors/XML-Parser/commit/08dd37c35ec5e64e26aacb8514437f54708f7fd1 (2.48)
+ NOTE: Issue was originally fixed in 2.34-4.1 but was lost with the 2.40-1 rebases.
CVE-2006-3970 (PHP remote file inclusion vulnerability in lmo.php in the LMO Componen ...)
NOT-FOR-US: LMO for joomla
CVE-2006-3969 (PHP remote file inclusion vulnerability in administrator/components/co ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25a85070b6defc2422da0342f4db6bb07969b2c5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25a85070b6defc2422da0342f4db6bb07969b2c5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260321/c2bc88d6/attachment.htm>
More information about the debian-security-tracker-commits
mailing list