Your message dated Thu, 25 Jun 2026 20:32:06 +0000
with message-id <[email protected]>
and subject line Bug#1132328: fixed in mxml 3.3.1-1+deb13u1
has caused the Debian Bug report #1132328,
regarding mxml: CVE-2026-5037
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132328: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132328
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mxml
Version: 4.0.4-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/michaelrsweet/mxml/issues/350
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for mxml.
CVE-2026-5037[0]:
| A vulnerability was determined in mxml up to 4.0.4. This issue
| affects the function index_sort of the file mxml-index.c of the
| component mxmlIndexNew. Executing a manipulation of the argument
| tempr can lead to stack-based buffer overflow. The attack is
| restricted to local execution. The exploit has been publicly
| disclosed and may be utilized. This patch is called
| 6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied
| to remediate this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-5037
https://www.cve.org/CVERecord?id=CVE-2026-5037
[1] https://github.com/michaelrsweet/mxml/issues/350
[2]
https://github.com/michaelrsweet/mxml/commit/6e27354466092a1ac65601e01ce6708710bb9fa5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mxml
Source-Version: 3.3.1-1+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mxml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated mxml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 19 Jun 2026 14:17:53 +0300
Source: mxml
Architecture: source
Version: 3.3.1-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Alastair McKinstry <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1132328
Changes:
mxml (3.3.1-1+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-5037: Out-of-bounds read in index_sort() (Closes: #1132328)
Checksums-Sha1:
aabeb47edafd4b6286673bb81d3bc1b6a977938f 1908 mxml_3.3.1-1+deb13u1.dsc
e2acbfa4b4d8a241986907b4de528b0dcc6270fe 826200 mxml_3.3.1.orig.tar.xz
87b072ff9a699190aa407df540451688e38a6d89 12724
mxml_3.3.1-1+deb13u1.debian.tar.xz
Checksums-Sha256:
21fb15a198f4b91a082d5b8627b75232eaf11b50162411d6ad6eddb863fcb577 1908
mxml_3.3.1-1+deb13u1.dsc
83413d4dea692c27f94064cc7d5c0d5662e0905de54b8f5506bf4820f71bbcc0 826200
mxml_3.3.1.orig.tar.xz
339939a23cef52acc63b1931f1bb7eb0f61e7ea39860d6b0f5cb340dbcd9bf74 12724
mxml_3.3.1-1+deb13u1.debian.tar.xz
Files:
c6f392e94376ede15a23343c63a7653a 1908 libs optional mxml_3.3.1-1+deb13u1.dsc
c78b160b6365e5fc0e35def3359cde8f 826200 libs optional mxml_3.3.1.orig.tar.xz
131de52d2f38ae3fcf368272200b9b50 12724 libs optional
mxml_3.3.1-1+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo1KdcACgkQiNJCh6LY
mLGK0w//bgB5RDmX0VcWjiteBqIzVkRzQQUmzIJ5t+19DOK59GT/dwYv6WYRoGhd
k34rbcVZnT2lXvti8uyV/8k+P1yUW7VbaBmUCgkkjuVhGNCq7MUv0GGYS1z/HNo0
90a/a/YIY5ropsaCB1xdtqOUeoUtgIcazEobN5ELmn86dlFejm91qVOUScFKLVV0
gqVCDJ7nrWT/kzKdHSgtQJRjZwKCJy8j7CjMIPhtS43uQ6E/ntxCMVC4DMZfWUGy
klUTj0fAaghQul++LP3+JWwr04S52rhTlpnJJ5n6u6dMezIfLksYRrr0FSFk4N5x
t0euNIw66BUHz3eugUl62IqNh+XdyWJjP4c41UzTTVhgI769cHFCzg2TMRvNjY1i
vfTbUtXHGbtvc19JQ+TW4XyYIGdmBj/LdJtPoEPSouY+RbDC3uZmQD5Fr6NQ02Rq
4oykLqNDntfafJWnrzZ+RZt0dea9dCKU0MQ3jj7QUt7ZXKfkKg0+T2q+34lwZFtM
Wgl44dSWpimJaBEnLviIU8rkKEQ8xAI5n2AK2rJusOlBUw+EzfCST8145rwBfKMC
AeDxekP2UM+YAGEyElqccjQBFg2v7Trk4JdLk9ixO5/RoCoyVUGoVk69PFsT07a1
M9bvRZrpWvzHox+bDgILBbNOdSp3LTs+mKnfOP8vzQqVjFMM+PA=
=+0t+
-----END PGP SIGNATURE-----
pgpseoKycvcy5.pgp
Description: PGP signature
--- End Message ---
