Your message dated Sat, 27 Jun 2026 15:03:12 +0000
with message-id <[email protected]>
and subject line Bug#1136300: fixed in libxml-libxml-perl 
2.0207+dfsg+really+2.0134-5+deb13u1
has caused the Debian Bug report #1136300,
regarding libxml-libxml-perl: CVE-2026-8177
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1136300: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136300
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxml-libxml-perl
Version: 2.0207+dfsg+really+2.0134-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/cpan-authors/XML-LibXML/issues/146
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libxml-libxml-perl.

CVE-2026-8177[0]:
| XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap
| memory when parsing XML node names containing truncated UTF-8 byte
| sequences.  A node name ending in the middle of a multi byte UTF-8
| sequence causes the parser to read past the end of the input string
| into adjacent heap memory.  Any Perl process that passes attacker
| controlled strings to XML::LibXML's DOM node-name methods can reach
| this path on the default API. The likely consequence is a crash,
| causing denial of service.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-8177
    https://www.cve.org/CVERecord?id=CVE-2026-8177
[1] https://github.com/cpan-authors/XML-LibXML/issues/146
[2] https://lists.security.metacpan.org/cve-announce/msg/39920366/
[3] https://github.com/cpan-authors/XML-LibXML/pull/149

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libxml-libxml-perl
Source-Version: 2.0207+dfsg+really+2.0134-5+deb13u1
Done: Salvatore Bonaccorso <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libxml-libxml-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated 
libxml-libxml-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Jun 2026 11:54:31 +0200
Source: libxml-libxml-perl
Architecture: source
Version: 2.0207+dfsg+really+2.0134-5+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1136300
Changes:
 libxml-libxml-perl (2.0207+dfsg+really+2.0134-5+deb13u1) trixie; urgency=medium
 .
   * Team upload.
   * fix: replace domParseChar with xmlValidateName to prevent OOB UTF-8 read
     (CVE-2026-8177) (Closes: #1136300)
Checksums-Sha1: 
 49ad6d40c30b718c2cf73b61b093cae8179139f4 2611 
libxml-libxml-perl_2.0207+dfsg+really+2.0134-5+deb13u1.dsc
 d4290ae0b2eb2553c72ec271e02ce807162d614f 17756 
libxml-libxml-perl_2.0207+dfsg+really+2.0134-5+deb13u1.debian.tar.xz
Checksums-Sha256: 
 8073aa85e07dc5dbad11336b42a17212662fe2b839a39ed5ede3c67257d5b3ec 2611 
libxml-libxml-perl_2.0207+dfsg+really+2.0134-5+deb13u1.dsc
 a372df2628183ef563975e366685caf2f2c52fe9c3344eb14e22ebfa5af31997 17756 
libxml-libxml-perl_2.0207+dfsg+really+2.0134-5+deb13u1.debian.tar.xz
Files: 
 b0b6848bb95ce7a7265c6dba8c060699 2611 perl optional 
libxml-libxml-perl_2.0207+dfsg+really+2.0134-5+deb13u1.dsc
 9ac2bb236b16738a9ffd41480822a538 17756 perl optional 
libxml-libxml-perl_2.0207+dfsg+really+2.0134-5+deb13u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmo/yRxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ElWQP/25b7GX8FcjDF+qjnQTWBiZ2FF4ULBU6
oJL0WSQNPRTGp+3RDORNz2yLiYDXpFzKppvga0h2vCM3ZwT7JTYu7bWmtJLhv2Mc
LwWKjX5Yz+6y1JY65CsRtRuQJbl809sECqluqJeg0H5+kjHE2QTNkDHaQXqMqc1j
ZDozMzSQp3WZ/AWpW5XT6sjqjIikzeGbFYqKMRvrlMMEx3qehttt5DbFD2BzGMnf
P8/G4fTPna1z40dUFtIfB/mVD9IeD6A/iRKL48N3OxXyxTfqJL5DX8lovcdWWNZA
XRB4cSW7unIdVemwBetreZPgsRQBwQsMTmJK1qrc5dRAoURk7Qsri1TZRmBT6BfF
V8Z1chfnlbTkPSn3N8+42fYiPnwYKUvVCRj3H7tusFaVXi9DgDQvWdE9RoYFG/B7
2GHI6VAuHCR3yGFdg/7f8sPhByYUpzjajQmJhPYTBcKlsfQtkGiEyoNtK0CEzkFP
g0fr5Gul8icIBRemCkb7lHXIuZgAzkmsKkvnETJX/eDLpi8qyEwoJgQ6FDM973B4
8tV2tIeQAZp1Of1gEtQGLPy1n6u/vZtjnlqik5YTYKhr9SfaQUSeBr4foI61O/+S
JK1pHCwZr1PTaOuTMhR6BejC2k1coj+7DRFlW8Kq9QziMYc+8gYMCBlDn0v6NgVy
NqH15FXF93sl
=Hcj2
-----END PGP SIGNATURE-----

Attachment: pgpo6rOUXUNN0.pgp
Description: PGP signature


--- End Message ---

Reply via email to