[xml/sgml-pkgs] Bug#1109947: bookworm-pu: package libxml2/2.9.14+dfsg-1.3~deb12u3
Guilhem Moulin
guilhem at debian.org
Sun Jul 27 01:00:30 BST 2025
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
X-Debbugs-Cc: libxml2 at packages.debian.org
Control: affects -1 + src:libxml2
User: release.debian.org at packages.debian.org
Usertags: pu
[ Reason ]
Fix <no-dsa> security issues CVE-2025-6021, CVE-2025-6170,
CVE-2025-49794 and CVE-2025-49796.
[ Impact ]
User will remain vulnerable to the aforementioned issues. Upgrading
users might regress as the issues are fixed in Bullseye LTS.
[ Tests ]
Manual bound checks, manual run of the upstream test suite and
schematron tests.
[ Risks ]
Low risk: all patches come from upstream and the versions backported to
upstream's 2.13 branch trivially applies to 2.9.14+dfsg-1.3~deb12u2.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[ ] the issue is verified as fixed in unstable
[ Changes ]
* Fix CVE-2025-6021: Integer overflow issue in xmlBuildQName.
* Fix CVE-2025-6170: Potential buffer overflows in the interactive shell.
* Fix CVE-2025-49794: Use-after-free issue in xmlSchematronReportOutput.
* Fix CVE-2025-49796: Type confusion issue in xmlSchematronReportOutput.
[ Other info ]
The fix for CVE-2025-6170 is not fixed in sid yet, tagging #-1 as
moreinfo in the meantime. debdiff sent to maintainer, will NMU if no
one objects to it. The other CVEs are fixed in sid already.
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-xml-sgml-pkgs/attachments/20250727/2059251b/attachment-0001.sig>
More information about the debian-xml-sgml-pkgs
mailing list