Your message dated Wed, 24 Jun 2026 21:03:40 +0000
with message-id <[email protected]>
and subject line Bug#1132328: fixed in mxml 3.3.1-1+deb13u1~deb12u1
has caused the Debian Bug report #1132328,
regarding mxml: CVE-2026-5037
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132328: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132328
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mxml
Version: 4.0.4-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/michaelrsweet/mxml/issues/350
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for mxml.
CVE-2026-5037[0]:
| A vulnerability was determined in mxml up to 4.0.4. This issue
| affects the function index_sort of the file mxml-index.c of the
| component mxmlIndexNew. Executing a manipulation of the argument
| tempr can lead to stack-based buffer overflow. The attack is
| restricted to local execution. The exploit has been publicly
| disclosed and may be utilized. This patch is called
| 6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied
| to remediate this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-5037
https://www.cve.org/CVERecord?id=CVE-2026-5037
[1] https://github.com/michaelrsweet/mxml/issues/350
[2]
https://github.com/michaelrsweet/mxml/commit/6e27354466092a1ac65601e01ce6708710bb9fa5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mxml
Source-Version: 3.3.1-1+deb13u1~deb12u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mxml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated mxml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 19 Jun 2026 14:38:27 +0300
Source: mxml
Architecture: source
Version: 3.3.1-1+deb13u1~deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Alastair McKinstry <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1132328
Changes:
mxml (3.3.1-1+deb13u1~deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* Rebuild for bookworm.
.
mxml (3.3.1-1+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-5037: Out-of-bounds read in index_sort() (Closes: #1132328)
Checksums-Sha1:
85e3ba568799dfde6be8cd427a84f5ccc824faca 1940 mxml_3.3.1-1+deb13u1~deb12u1.dsc
35a3b02dc4127363f4cbb897d5e43649e7ad58dc 12736
mxml_3.3.1-1+deb13u1~deb12u1.debian.tar.xz
Checksums-Sha256:
97e0a8cc9120cca196c07d069387c596fbfac808915f4315349ab89e73e486ae 1940
mxml_3.3.1-1+deb13u1~deb12u1.dsc
4982f97023d952b784b8f956b75ccb813e0f386fcbf7d3643d91d53e7929350b 12736
mxml_3.3.1-1+deb13u1~deb12u1.debian.tar.xz
Files:
d43618dda7944bffd500253bb8985ae7 1940 libs optional
mxml_3.3.1-1+deb13u1~deb12u1.dsc
becab4ab5614a37910c2a85df17fc57a 12736 libs optional
mxml_3.3.1-1+deb13u1~deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo1K1QACgkQiNJCh6LY
mLEepA/9GgsyqqcgajjQHgxFL9PoITXvEuSp9rFCL6/KVvZ+r4remPqgmGzVF/j7
rrjXAxETNjZQnOW/B3HV5qLDvqIoqy6i/q4dW2QzsFlYmhyfwpHhuq3geyKG9muv
5EEsB9EV9JaaSW9KsDcewLozr+QfnbBLecJAmshym91zK0Ek55TnVo97f5AUT/1L
jQ3mWRd31yo+tSkYIfgDPtDOK3ZENePjMUe+igvSd4WGSOD9jpK3VGFswqVGL6Ad
znzJsdiD7M01qigPA1s0F4Nppno23MvEuLRF/Oxh9vylgbtEbHWR36ItG2id+LJ6
Hz98jFj7OyqLJF0INiwCfstKe13YwgHjGcHoVFKAJq7aYqScl8eTCGqCTE5ItB/d
N7KVv50JZSaURgKlzAbxW8DTeMBfkOFFPhg2OSceuX6jHzeoSjAHQCbSz4ER27dB
mfF1JJ9E2CBEQcPQIoRV1yEvorhRECFFpa0R+KLQPIHS7s2ecctX3jNyj16tMO/U
RdjXseXvIMsDIFmMs3C5Uvdx2Keidm1bPqoICaaKUmavVGuwXEsfzaSLmvVfXSiF
UKf0FPtzbJ2G2lhBNcLtGi/2z4KIYTg/onuSE3ukgDqBbMT3BRT8GbL/Za135YG4
DGd/ZZ/v3QIrqEfebqiUQXj6QzrHtJIl4KoJnaqf3Jjaf6lw42Q=
=6TGZ
-----END PGP SIGNATURE-----
pgpP5epUlmXzd.pgp
Description: PGP signature
--- End Message ---
