Your message dated Thu, 15 May 2025 08:34:49 +0000
with message-id <e1ufu3f-001gkr...@fasolo.debian.org>
and subject line Bug#1053629: fixed in libxml2 2.12.7+dfsg+really2.9.14-1
has caused the Debian Bug report #1053629,
regarding libxml2: CVE-2023-45322
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1053629: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053629
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libxml2
Version: 2.9.14+dfsg-1.3
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for libxml2.
CVE-2023-45322[0]:
| libxml2 through 2.11.5 has a use-after-free that can only occur
| after a certain memory allocation fails. This occurs in
| xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't
| think these issues are critical enough to warrant a CVE ID ...
| because an attacker typically can't control when memory allocations
| fail."
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45322
https://www.cve.org/CVERecord?id=CVE-2023-45322
[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
[2]
https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9
[3] http://www.openwall.com/lists/oss-security/2023/10/06/5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxml2
Source-Version: 2.12.7+dfsg+really2.9.14-1
Done: Aron Xu <a...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1053...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <a...@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 15 May 2025 15:34:25 +0800
Source: libxml2
Architecture: source
Version: 2.12.7+dfsg+really2.9.14-1
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Aron Xu <a...@debian.org>
Closes: 1051230 1053629 1063234 1102521 1103511
Changes:
libxml2 (2.12.7+dfsg+really2.9.14-1) unstable; urgency=medium
.
* Acknowledge previous NMUs.
* Security fixes:
- CVE-2023-39615: out-of-bounds read via the xmlSAX2StartElement()
(Closes: #1051230)
- CVE-2023-45322: use-after-free in xmlUnlinkNode()
(Closes: #1053629)
- CVE-2024-25062: use-after-free in xmlValidatePopElement()
(Closes: #1063234)
- CVE-2025-32414: out-of-bounds read in Python bindings
(Closes: #1102521)
- CVE-2025-32415: heap-based buffer under-read via
xmlSchemaIDCFillNodeTables() (Closes: #1103511)
Checksums-Sha1:
b97189be45f90cde97146e884421ebb927cb3f0b 2681
libxml2_2.12.7+dfsg+really2.9.14-1.dsc
acf604965fc6dc6685ac168c58adb77642dcd36b 40760
libxml2_2.12.7+dfsg+really2.9.14-1.debian.tar.xz
e6b1d496ceb426e15a96d28169070d2d8ca8d180 5704
libxml2_2.12.7+dfsg+really2.9.14-1_source.buildinfo
Checksums-Sha256:
bde8a79865bb079ecf858b54f1a89fd791135b7cff228cd63900106bb37ffae2 2681
libxml2_2.12.7+dfsg+really2.9.14-1.dsc
070629f9101eba338ddcf6e66933246a1f072e7e0eaf57c314eced6174e8fe05 40760
libxml2_2.12.7+dfsg+really2.9.14-1.debian.tar.xz
b166b2c08db4e61aba7d442d67cf0b90a8ec724b8a0aae74735927bcd9eba040 5704
libxml2_2.12.7+dfsg+really2.9.14-1_source.buildinfo
Files:
f90edcba0e46778fb3f54d286169af90 2681 libs optional
libxml2_2.12.7+dfsg+really2.9.14-1.dsc
1db86677aa23c3e7bd047cb123ead863 40760 libs optional
libxml2_2.12.7+dfsg+really2.9.14-1.debian.tar.xz
eaf3a0ab247f9179094fec1f18d6f52c 5704 libs optional
libxml2_2.12.7+dfsg+really2.9.14-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEBLHAyuu1xqoC2aJ5NP8o68vMTMgFAmgln5gACgkQNP8o68vM
TMixbAf8Cj9XhoyYQiKbIi7CM91JpqHIHRU+bL7jonHaz38MyogAtAJaNE83t325
f/n4l8oS0LznHH9zVdszWtMYhmlaaCqKi6FeJ0zVkcUZ3ib8Xv5IuYpdiPxixZ/J
18SwXnOF7ASnOyT/ETr/ib+/S8JCtIB7LXxih/OObN5SRTflrxQKqVTpgKqZJhaV
aI4d4ytRkLG6bokQ9tqzcEir2gi6DwpZQVrb2JswMmw/DsyESIQEvAgN339drKKi
oSpiqGnbmOHbbAyvDJ/VlWM2bSaB5JG2bgK7IjmZOOFJBnmBPm7WoygKR3GMHbwf
CvRP47JCEsobWdauzaQIK8chO50rhw==
=v51D
-----END PGP SIGNATURE-----
pgpZFhy7iqPIk.pgp
Description: PGP signature
--- End Message ---
