Package: Bookworm Version: 12.8 Hello, I am requesting that the libxml2 library that is packaged with the latest version of Bookworm (12.8 as of Nov 21, 2024). The version being used is 2.9.14+dfsg-1.3~deb12u1. This version has high severity CVE-2024-25062 with it, however this has been fixed in newer versions of libxml2: https://nvd.nist.gov/vuln/detail/CVE-2024-25062#range-13018875 The 2.9.x branch will never receive this fix so the only remedy is to upgrade to version at or after 2.12.5: https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 I see that Debian Trixie will be packaging a newer version of libxml2 (2.12.7+dfsg+really2.9.14-0.2+b1): https://packages.debian.org/search?keywords=libxml2
Can this update be done in Bookworm as well to remove this CVE? Best, Jay
