[xml/sgml-pkgs] (o)s-pu uploads to fix no-dsa security issues in libxml2
Aron Xu
aron at debian.org
Mon Jun 8 03:50:06 BST 2026
Hi,
On Mon, Jun 8, 2026 at 1:53 AM Guilhem Moulin <guilhem at debian.org> wrote:
>
> Hi,
>
> While working on an upload for bullseye LTS I noticed the version of
> src:libxml2 currently found in bookworm and trixie are vulnerable to a
> few no-dsa (or unimportant) security issues [0].
>
> CVE-2026-6732 has been triaged not to affect stable and older suites, so
> I assume a libxml2 DSA is not in the making and prepared (o)s-pu uploads
> for the remaining issues.
>
> I attach tested debdiffs; individual commits and tag can be found on the
> LTS team fork [1,2]. Debusine output can be found at
>
> https://debusine.debian.net/debian/developers/work-request/821755/
> https://debusine.debian.net/debian/developers/work-request/820313/
>
> I'll file trixie- and bookworm-pu bugs with these changes and tag them
> moreinfo to give you time to object if desired. I also intend to NMU
> libxml2.9 (sid-only transition package per #1112209) so it doesn't fall
> behind trixie's libxml2.
>
> The proposed debdiffs also fixes CVE-2025-8732 and CVE-2026-1757 which
> are marked as <not-important> in the security tracker; these issues are
> trivially fixable in trixie and bookworm so there is IMHO no reason not
> to do it in the -pu upload. In addition, the proposed debdiffs include
> backports of security-related changes fixing memory leaks,
> use-after-free and stack overflow issues for which no CVE ID was
> assigned (yet).
>
I did a quick look at the proposed debdiffs I think they are good,
please go ahead with all the planned actions and there is no need to
wait for more time.
Thanks a lot for taking care of the updates!
Aron
More information about the debian-xml-sgml-pkgs
mailing list