[Debichem-devel] Open Babel 3.2.0 released — fixes 24 tracked CVEs against 3.1.1
Andrius Merkys
merkys at debian.org
Wed May 27 08:43:42 BST 2026
Hi Geoffrey,
On 5/26/26 20:41, Geoffrey Hutchison wrote:
> A heads-up that Open Babel 3.2.0 was tagged today (2026-05-26):
>
> https://github.com/openbabel/openbabel/releases/tag/openbabel-3-2-0
This is great news, thanks a lot for your work on the new release! I
will start looking into updating Open Babel in Debian ASAP, but it might
take a week or two.
> It closes all 24 of the openbabel CVEs currently open on the Debian security tracker — the 2022 Cisco TALOS batch (CVE-2022-37331, -41793, -42885, -43467, -43607, -44451, -46280, -46289..-46295), the 2025 OSS-Fuzz batch (CVE-2025-10994..-11000), and three 2026 CVEs from Vedant Madane (CVE-2026-2704, -2705, -3408).
>
> There are also four new patched bugs (no CVE yet) from Ada Logics, Trail of Bits, and Claude Mythos / Claude Security.
>
> Tracker (currently all "vulnerable, no DSA"):
> https://security-tracker.debian.org/tracker/source-package/openbabel
>
> A per-CVE table mapping each ID to the patch commit and PR is in SECURITY.md on the release branch — should make backporting to older releases straightforward if a full 3.1.1 => 3.2.0 update isn't possible:
>
> https://github.com/openbabel/openbabel/blob/openbabel-3-2-0/SECURITY.md
>
> Each CVE also has a minimized reproducer checked in under test/files/fuzz_regress/ and exercised by the fuzzregresstest harness under ASAN+UBSAN, so any backported subset can be verified against the same inputs that originally triggered the bugs. (These are also all running on updated Ubuntu GitHub runners for regression testing.)
Awesome, glad to see all the CVEs are addressed.
> Andrius — thanks again for the libxml2 ≥ 2.12.7 fix (#2702) that landed in this release. I'll be more active to get things merged faster now that Avogadro 2.0 is released.
You're welcome.
> I'm happy to answer questions or look at backport patches if anything doesn't apply cleanly. We're planning to follow up with a post to oss-security in the next day or two so other distros pick it up.
Sure, will let you know should I have any packaging questions.
Best wishes,
Andrius
More information about the Debichem-devel
mailing list