[Debichem-devel] Open Babel 3.2.0 released — fixes 24 tracked CVEs against 3.1.1

Tue May 26 18:41:24 BST 2026

Hi Debichem team,

A heads-up that Open Babel 3.2.0 was tagged today (2026-05-26):

  https://github.com/openbabel/openbabel/releases/tag/openbabel-3-2-0

It closes all 24 of the openbabel CVEs currently open on the Debian security tracker — the 2022 Cisco TALOS batch (CVE-2022-37331, -41793, -42885, -43467, -43607, -44451, -46280, -46289..-46295), the 2025 OSS-Fuzz batch (CVE-2025-10994..-11000), and three 2026 CVEs from Vedant Madane (CVE-2026-2704, -2705, -3408).

There are also four new patched bugs (no CVE yet) from Ada Logics, Trail of Bits, and Claude Mythos / Claude Security.

  Tracker (currently all "vulnerable, no DSA"):
  https://security-tracker.debian.org/tracker/source-package/openbabel

A per-CVE table mapping each ID to the patch commit and PR is in SECURITY.md on the release branch — should make backporting to older releases straightforward if a full 3.1.1 => 3.2.0 update isn't possible:

  https://github.com/openbabel/openbabel/blob/openbabel-3-2-0/SECURITY.md

Each CVE also has a minimized reproducer checked in under test/files/fuzz_regress/ and exercised by the fuzzregresstest harness under ASAN+UBSAN, so any backported subset can be verified against the same inputs that originally triggered the bugs. (These are also all running on updated Ubuntu GitHub runners for regression testing.)

Andrius — thanks again for the libxml2 ≥ 2.12.7 fix (#2702) that landed in this release. I'll be more active to get things merged faster now that Avogadro 2.0 is released.

I'm happy to answer questions or look at backport patches if anything doesn't apply cleanly. We're planning to follow up with a post to oss-security in the next day or two so other distros pick it up.

-Geoff

---
Prof. Geoffrey Hutchison (he/him)
Department of Chemistry
University of Pittsburgh
tel: (412) 648-0492
email: geoffh at pitt.edu
web: https://hutchisonlab.org/