Your message dated Fri, 29 Aug 2025 16:02:43 +0000
with message-id <[email protected]>
and subject line Bug#1109122: fixed in libxml2
2.12.7+dfsg+really2.9.14-2.1+deb13u1
has caused the Debian Bug report #1109122,
regarding libxslt: CVE-2025-7425
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109122
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxslt
Version: 1.1.35-1.2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libxslt.
CVE-2025-7425[0]:
| A flaw was found in libxslt where the attribute type, atype, flags
| are modified in a way that corrupts internal memory management. When
| XSLT functions, such as the key() process, result in tree fragments,
| this corruption prevents the proper cleanup of ID attributes. As a
| result, the system may access freed memory, causing crashes or
| enabling attackers to trigger heap corruption.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-7425
https://www.cve.org/CVERecord?id=CVE-2025-7425
[1] https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxml2
Source-Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u1
Done: Aron Xu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <[email protected]> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 Aug 2025 19:38:04 +0800
Source: libxml2
Architecture: source
Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Aron Xu <[email protected]>
Closes: 1109122
Changes:
libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u1) trixie-security; urgency=high
.
* CVE-2025-7425: heap-use-after-free in xmlFreeID caused by `atype`
corruption (Closes: #1109122)
Checksums-Sha1:
3839e979ccc0144aad08518d43cfdec6e78bc2fd 2721
libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1.dsc
b41615e638174b4e36845c68d4b305dd6a6b541f 2351200
libxml2_2.12.7+dfsg+really2.9.14.orig.tar.xz
dceb3a6db8211dac7c078eb82766d031d7d812f6 48728
libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1.debian.tar.xz
f2ec2f458c3dfbb2bd0420d9dbbf584602a7e6b0 5305
libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1_source.buildinfo
Checksums-Sha256:
1b5ebd1dc73f27d0633797781d3a9304c8d25a4ace8ca32c44a8247757e92b0c 2721
libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1.dsc
4fe913dec8b1ab89d13b489b419a8203176ea39e931eaa0d25b17eafb9c279e9 2351200
libxml2_2.12.7+dfsg+really2.9.14.orig.tar.xz
1d83110ae29224c4e74d16f74296491b769120d3fdebe5c893c3389e49e4f51e 48728
libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1.debian.tar.xz
ed104570a7fb042fd4e633dedaa125fe0919d60e218454317252c1005ad7f051 5305
libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1_source.buildinfo
Files:
b1a74d43b23c036625ce057220b0f40c 2721 libs optional
libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1.dsc
bbcae2f48d1c9b1413ef953ce87e9346 2351200 libs optional
libxml2_2.12.7+dfsg+really2.9.14.orig.tar.xz
fd365b1a632edbf27e2906e87ce92ebb 48728 libs optional
libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1.debian.tar.xz
948bfb2e87ca207fc0db0394e6b5ebfc 5305 libs optional
libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEBLHAyuu1xqoC2aJ5NP8o68vMTMgFAmisTAIACgkQNP8o68vM
TMiSGgf/ddTaURtgG0OhaCyEnRWy28e6y3hEPx0n0Ke6+Ct7y9cb0Pn6FUTlDKrI
Jvj7fkQ8+s5l6B4bsBADMFBB94s8S8xZtvW0Lp7+K5xZS1ikxjujWy6lUhH8pMBH
tpTTGCDwNWAfSdzJaabqYjhojuuqa0k4oJ/nNTMoUTv2SDHU6fZ3inmmeXcF67lv
koaJmNs3heKS6nrNEcaRfntwi0tz4BakXv5VdYkQWMGS8Z8XLTDjzrioD4SiD2T/
ZzPNvBFJIGdxNtL0wdHIUpJirYybyIrTpkPYZY1XzZLHHymXdCJK+x8ogtbL48uQ
9eAFu4MFlaFI8Ei6eSludcsP2gZe0g==
=E9vx
-----END PGP SIGNATURE-----
pgptb6LvlkLHG.pgp
Description: PGP signature
--- End Message ---
