Your message dated Sat, 27 Jun 2026 15:03:27 +0000
with message-id <[email protected]>
and subject line Bug#1136300: fixed in libxml-libxml-perl 
2.0207+dfsg+really+2.0134-1+deb12u1
has caused the Debian Bug report #1136300,
regarding libxml-libxml-perl: CVE-2026-8177
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1136300: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136300
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxml-libxml-perl
Version: 2.0207+dfsg+really+2.0134-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/cpan-authors/XML-LibXML/issues/146
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libxml-libxml-perl.

CVE-2026-8177[0]:
| XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap
| memory when parsing XML node names containing truncated UTF-8 byte
| sequences.  A node name ending in the middle of a multi byte UTF-8
| sequence causes the parser to read past the end of the input string
| into adjacent heap memory.  Any Perl process that passes attacker
| controlled strings to XML::LibXML's DOM node-name methods can reach
| this path on the default API. The likely consequence is a crash,
| causing denial of service.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-8177
    https://www.cve.org/CVERecord?id=CVE-2026-8177
[1] https://github.com/cpan-authors/XML-LibXML/issues/146
[2] https://lists.security.metacpan.org/cve-announce/msg/39920366/
[3] https://github.com/cpan-authors/XML-LibXML/pull/149

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libxml-libxml-perl
Source-Version: 2.0207+dfsg+really+2.0134-1+deb12u1
Done: Salvatore Bonaccorso <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libxml-libxml-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated 
libxml-libxml-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Jun 2026 13:41:54 +0200
Source: libxml-libxml-perl
Architecture: source
Version: 2.0207+dfsg+really+2.0134-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1136300
Changes:
 libxml-libxml-perl (2.0207+dfsg+really+2.0134-1+deb12u1) bookworm; 
urgency=medium
 .
   * Team upload.
   * fix: replace domParseChar with xmlValidateName to prevent OOB UTF-8 read
     (CVE-2026-8177) (Closes: #1136300)
Checksums-Sha1: 
 7743c043a4c29c3945f35c3b8b10d6e80d481eee 2614 
libxml-libxml-perl_2.0207+dfsg+really+2.0134-1+deb12u1.dsc
 73d0f88dbc8b902d9a8e281f9ccf4c2a0ab9c064 14904 
libxml-libxml-perl_2.0207+dfsg+really+2.0134-1+deb12u1.debian.tar.xz
Checksums-Sha256: 
 fde1e788ee67195b9a57128c1545c31e9bff5b75bd7819ec2bcf056eabb77345 2614 
libxml-libxml-perl_2.0207+dfsg+really+2.0134-1+deb12u1.dsc
 4d70d0cacc92934be32ede6607b5a5a7c50d166269324e12c6bb26abe975692b 14904 
libxml-libxml-perl_2.0207+dfsg+really+2.0134-1+deb12u1.debian.tar.xz
Files: 
 5fca34b45da8ae5df39496fe282a330e 2614 perl optional 
libxml-libxml-perl_2.0207+dfsg+really+2.0134-1+deb12u1.dsc
 ab3aa5b24bd6cf8ad57cee65c8e5b3d6 14904 perl optional 
libxml-libxml-perl_2.0207+dfsg+really+2.0134-1+deb12u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmo/yeVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EXTkP/15312EnfxBJoIRmACbY0UVGrIpS7Lwl
QiBaFRtUyCusE553H2z5YUZRVgPfyfKu0mRmDSIsoIOaMHfAsb+WKHF8ckJ1JGn1
te2O9BidbKpwcRn5VlOt3UmfE6/DoS8fXWpNQ0cXjM3Tmfl3q3HMnF/kj1E4+leH
WPaLPu+rttEle/LXZQQBaSy+bbMEYHpU+S9OBANdV+CG7E5OakOunDjmFuQOshgB
am8iBdDdXsXiQgc0ejn/pvd5kX771CYakS9jx9Kn5xn7ut0tfUlqoOvuVwQJd7Ue
UC8rXKM9BbidnuXQfyp2OruGPJ99Rvanu0x2TSR9c9eL1NBtmOHJICvE3e9D3Xwd
hvx345cKh8oxXBSmzauWXQ52MaAEkhP7g0sgjslvsboBA8hklE/jFrCjY+fnoq5X
t+WMNUTSi6J9fVpNr/RgNqjPRMdbTkfDoroLiAjSLPQZZMqh7IOHuCK9yc0himlR
7dj1quLr8Mb5RBtQ2jLQdV7cnSv5L/Zvya/mUbegbeW/cUAVm6ED0x1sGwh26X3x
6YnE0yaFxswhP8o7UkaVonafgK3etZfwkD2/eQ9noPoZ6mbSa4Q9Fi0hM0zWSuCO
MN7GM+7/XwQ2REq6hFCRlU6cQhT0OJ1+E813tZBq2KMO2apwMMaxiRmqRkXB6Le7
Ns4GlCQZbKix
=ieRF
-----END PGP SIGNATURE-----

Attachment: pgpdtO9WIgCIB.pgp
Description: PGP signature


--- End Message ---

Reply via email to