Bug#378412: CVE-2006-10002 and CVE-2006-10003 status
Salvatore Bonaccorso
carnil at debian.org
Sat Mar 21 06:22:55 GMT 2026
Control: found 378411 2.40-1
Control: found 378412 2.40-1
Control: severity 378412 important
Control: fixed 378411 2.46-1
Recently those issues got assigned CVEs, CVE-2006-10002 and
CVE-2006-10003 and while checking it looks we lost the patches around
2.40-1.
#378411, aka CVE-2006-10002 got later fixed in upstream with
https://github.com/cpan-authors/XML-Parser/commit/56b0509dfc6b559cd7555ea81ee62e3622069255
in 2.45 and later improved with
https://github.com/cpan-authors/XML-Parser/commit/5361c2b7f48599718cdecbe50c5fdd88b28ffd79
but the fix is in 2.45 already.
#378412, aka CVE-2006-10003 was only fixed later now in
https://github.com/cpan-authors/XML-Parser/commit/08dd37c35ec5e64e26aacb8514437f54708f7fd1
.
I intend to "re-queue" fixes for both as well the improvement and the
CVE-2006-10003 down to bookworm via point release updates, I do not
think a DSA is warranted here.
I would like to expose first the fixes via unstable then look at point
release updates ideally. There is much ongoing on XML::Parser upstream
now and the 2.48 release was followed already by further bugfix rounds
2.49 and 2.51.
More information about the pkg-perl-maintainers
mailing list