On 6/16/25 15:12, Alan Coopersmith wrote:
BTW, users of libxml2 may also be using its sibling project, libxslt, which currently has no active maintainer, but has three unfixed security issues reported against it according to https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt
2 of the 3 have now been disclosed: (CVE-2025-7424) libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes https://gitlab.gnome.org/GNOME/libxslt/-/issues/139 https://project-zero.issues.chromium.org/issues/409761909 (CVE-2025-7425) libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption https://gitlab.gnome.org/GNOME/libxslt/-/issues/140 https://project-zero.issues.chromium.org/issues/410569369 Engineers from Apple & Google have proposed patches in the GNOME gitlab issues, but neither has had a fix applied to the git repo since there is currently no maintainer for libxslt. -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
