[Git][security-tracker-team/security-tracker][master] Reserve DLA-4146-1 for libxml2

Wed, 30 Apr 2025 10:33:39 -0700 


Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ce2abcdf by Thorsten Alteholz at 2025-04-30T19:33:04+02:00
Reserve DLA-4146-1 for libxml2

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -6447,7 +6447,6 @@ CVE-2025-3361 (The web service of iSherlock from HGiga 
has an OS Command Injecti
 CVE-2025-32414 (In libxml2 before 2.13.8 and 2.14.x before 2.14.2, 
out-of-bounds memor ...)
        - libxml2 <unfixed> (bug #1102521)
        [bookworm] - libxml2 <no-dsa> (Minor issue)
-       [bullseye] - libxml2 <postponed> (Minor issue, OOB read)
        NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
 CVE-2025-32413 (Vulnerability-Lookup before 2.7.1 allows stored XSS via a user 
bio in  ...)
        NOT-FOR-US: Vulnerability-Lookup


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[30 Apr 2025] DLA-4146-1 libxml2 - security update
+       {CVE-2025-32414 CVE-2025-32415}
+       [bullseye] - libxml2 2.9.10+dfsg-6.7+deb11u7
 [30 Apr 2025] DLA-4145-1 expat - security update
        {CVE-2024-50602}
        [bullseye] - expat 2.2.10-2+deb11u7


=====================================
data/dla-needed.txt
=====================================
@@ -181,9 +181,6 @@ libstring-compare-constanttime-perl (guilhem)
   NOTE: 20250430: with it. At least not until we have either decided to revert 
the patch landing in trixie or accept
   NOTE: 20250430: it. Context in 
https://github.com/hoytech/String-Compare-ConstantTime/pull/21
 --
-libxml2 (Thorsten Alteholz)
-  NOTE: 20250421: Added by Front-Desk (ta)
---
 libxmltok (Thorsten Alteholz)
   NOTE: 20250421: Added by Front-Desk (ta)
   NOTE: 20250421: Also review all other expat CVEs. (bunk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce2abcdfcf984fd32da57d851d3e040f163c4111

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce2abcdfcf984fd32da57d851d3e040f163c4111
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to