Your message dated Fri, 11 Jul 2025 08:35:39 +0200
with message-id
<CAMr=8w6n0NNgA1QKkA4bnF979jVLisB2Li9b=vtlg1xgdu7...@mail.gmail.com>
and subject line Re: Bug#1109013: libxml2: CVE-2025-6021, CVE-2025-49794,
CVE-2025-49795, CVE-2025-49796
has caused the Debian Bug report #1109013,
regarding libxml2: CVE-2025-6021, CVE-2025-49794, CVE-2025-49795, CVE-2025-49796
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1109013: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109013
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libxml2
Severity: CRITICAL and HIGH
User: hemlata.chande...@ibm.com<mailto:hemlata.chande...@ibm.com>
Hi,
We are writing in reference to the recently published vulnerabilities affecting
libxml2:
CVE-2025-6021: https://www.cve.org/CVERecord?id=CVE-2025-6021
CVE-2025-49794: https://www.cve.org/CVERecord?id=CVE-2025-49794
CVE-2025-49795: https://www.cve.org/CVERecord?id=CVE-2025-49795
CVE-2025-49796: https://www.cve.org/CVERecord?id=CVE-2025-49796
These vulnerabilities appear to affect all currently released versions listed
below:
Source Package
Release
Version
Status
libxml2<https://security-tracker.debian.org/tracker/source-package/libxml2>
(PTS<https://tracker.debian.org/pkg/libxml2>)
bullseye
2.9.10+dfsg-6.7+deb11u4
vulnerable
bullseye (security)
2.9.10+dfsg-6.7+deb11u7
vulnerable
bookworm
2.9.14+dfsg-1.3~deb12u1
vulnerable
bookworm (security)
2.9.14+dfsg-1.3~deb12u2
vulnerable
trixie, sid
2.12.7+dfsg+really2.9.14-1
vulnerable
We would appreciate clarification on the following points:
1. Will these vulnerabilities be fixed in version 2.12.7+dfsg+really2.9.14-1
(Trixie, Sid)? If so, when?
2. When is the next version, 2.14.4+dfsg-0exp1 (currently in experimental),
expected to become a stable release?
3. Will these vulnerabilities be addressed in that next stable release
(2.14.x)?
Thank you for your time and assistance. We look forward to your response.
Best regards,
Hemlata Chandewar
--- End Message ---
--- Begin Message ---
Hi,
On Wed, Jul 9, 2025 at 5:15 PM Hemlata Chandewar
<hemlata.chande...@ibm.com> wrote:
>
> We would appreciate clarification on the following points:
>
> Will these vulnerabilities be fixed in version 2.12.7+dfsg+really2.9.14-1
> (Trixie, Sid)? If so, when?
> When is the next version, 2.14.4+dfsg-0exp1 (currently in experimental),
> expected to become a stable release?
> Will these vulnerabilities be addressed in that next stable release (2.14.x)?
>
Since you've already accessed the information on security-tracker[1],
there is no plan to release a dedicated security advisory for the
listed CVEs for Bookworm at the moment. We are still evaluating our
options about what to do with these issues in Trixie.
Regarding 2.14.x versions, it is possible to release with Debian Forky
(14), which is supposed to become stable about 2 years after Trixie.
These issues will be fixed with newer upstream 2.14.x versions (likely
2.14.5).
Regards,
Aron
[1]https://security-tracker.debian.org/tracker/source-package/libxml2
--- End Message ---
