Your message dated Thu, 27 Mar 2025 11:34:43 +0000
with message-id <e1txlvt-00cgdw...@fasolo.debian.org>
and subject line Bug#1094238: fixed in libxml2 2.12.7+dfsg+really2.9.14-0.4
has caused the Debian Bug report #1094238,
regarding libxml2: CVE-2022-49043
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1094238: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094238
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libxml2
Version: 2.12.7+dfsg+really2.9.14-0.2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 2.9.14+dfsg-1.3~deb12u1
Control: found -1 2.9.14+dfsg-1.3
Hi,
The following vulnerability was published for libxml2.
CVE-2022-49043[0]:
| xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-
| after-free.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-49043
https://www.cve.org/CVERecord?id=CVE-2022-49043
[1]
https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxml2
Source-Version: 2.12.7+dfsg+really2.9.14-0.4
Done: Matthias Klose <d...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1094...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <d...@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 27 Mar 2025 11:54:17 +0100
Source: libxml2
Architecture: source
Version: 2.12.7+dfsg+really2.9.14-0.4
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Matthias Klose <d...@debian.org>
Closes: 1071162 1092484 1094238 1098320 1098321 1098322
Changes:
libxml2 (2.12.7+dfsg+really2.9.14-0.4) unstable; urgency=medium
.
* Non-maintainer upload.
.
* Don't build with ICU. Closes: #1092484.
.
libxml's README.md states:
.
[ICU](https://icu.unicode.org/), a Unicode library. Mainly
useful as an alternative to iconv on Windows. Unnecessary
on most other systems.
.
ICU 76.1 requires to be built with -std=c++17 or -std=gnu++17 or
higher. However including the ICU headers in the libxml2 headers,
breaks builds with older C++ standards, most likely leading to
some unrelated build failures for packages that don't rely on ICU,
but are using libxml2.
.
* Import security updates from Ubuntu:
- SECURITY UPDATE: use-after-free in xmlXIncludeAddNode
+ debian/patches/CVE-2022-49043.patch: fix UaF in xinclude.c.
+ CVE-2022-49043. Closes: #1094238.
- SECURITY UPDATE: buffer overread in xmllint
+ debian/patches/CVE-2024-34459.patch: fix buffer issue when using
htmlout option in xmllint.c.
+ CVE-2024-34459. Closes: #1071162.
- SECURITY UPDATE: use-after-free
+ debian/patches/CVE-2024-56171.patch: Fix use-after-free after
xmlSchemaItemListAdd.
+ CVE-2024-56171. Closes: #1098320.
- SECURITY UPDATE: stack-based buffer overflow
+ debian/patches/CVE-2025-24928-pre1.patch: Check for NULL node->name
in xmlSnprintfElements.
+ debian/patches/CVE-2025-24928.patch: Fix stack-buffer-overflow in
xmlSnprintfElements.
+ CVE-2025-24928. Closes: #1098321.
- SECURITY UPDATE: NULL pointer dereference
+ debian/patches/CVE-2025-27113.patch: Fix compilation of explicit
child axis.
+ CVE-2025-27113. Closes: #1098322.
Checksums-Sha1:
4ee2efb936758253ef120e3c750711864f31ffcd 3060
libxml2_2.12.7+dfsg+really2.9.14-0.4.dsc
218ed9f116cfd8c30f4df7aa4bd2db2cd3c2955a 38312
libxml2_2.12.7+dfsg+really2.9.14-0.4.debian.tar.xz
2065aef4edd178db210f6ced5aa968230496c829 5982
libxml2_2.12.7+dfsg+really2.9.14-0.4_source.buildinfo
Checksums-Sha256:
ed52ed86b0dbc448c79490829aa8f6b73abf37794e3be27d746a8aa1c90a94e0 3060
libxml2_2.12.7+dfsg+really2.9.14-0.4.dsc
02dd4c440b5b8bd9376030b5e224a0da707d60e649eec28787b35ebdeebb4f0d 38312
libxml2_2.12.7+dfsg+really2.9.14-0.4.debian.tar.xz
51fe71139020be0e527439c9c11d976c29b6d472b4baf184c8bfca5612686142 5982
libxml2_2.12.7+dfsg+really2.9.14-0.4_source.buildinfo
Files:
a0c3b4161adbd5a2e0336b8045c82712 3060 libs optional
libxml2_2.12.7+dfsg+really2.9.14-0.4.dsc
8407424fe583724ebcb524551e40e7c1 38312 libs optional
libxml2_2.12.7+dfsg+really2.9.14-0.4.debian.tar.xz
04ada705651b2ddaa9354f5ee2336f45 5982 libs optional
libxml2_2.12.7+dfsg+really2.9.14-0.4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmflMV8QHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9ZtcD/9+hUy7R3PvY4+DQtFgnWHwATOi6SCjvanE
IYXfGflYhnWC18XZwRSxFgJlfsFTVcPJQZBZ9Q4iwEmEHypi9vK7ElrbCblDrdq/
QSY7E5QNGH7tkI7MRPIhskkx87MI7zt2B5+qcNIgBARJLDbTYKLrbd7gArwkJyQa
PsdkYlr+2GvLh5DmtFls2eZ+bXE5fSEGoxcXeYzbW5Z4guTdJlsGFiJnaYuutlyL
zr3L3lZsoapGzoc2tNOsDcVzZF2r13A+jgnd9JQYBL9tJ838tj4Jzapu29cAJ7qM
MIPcK00eYunQnovhVW76XjDHKO6pGKJp3zQqkEImcQo2sLQHHeH5v52gRJbwgMab
up4hZ6EGLnsss2pj+1q14QGTUIHrHJvjFDJrDJCJRs2eL+h1Zzth1ZwHwPv8LSDN
UN8/hFcaOgPjZHHJidknjvt5rjbu3/jKP6Na7fz/hnFxGja50zvUbO9CvktAnI7n
drDP3zo2uNg4q31Xs7ZhOjUQp0RYxtMOoLYv6aA1RT0CH/ACclGccTv+6FqUCDFy
1cQQ6JH0rVF3O4iJQu3TeXyBndyTVisNYVj348UPIqsbqUGCTZ0rpLvS0LsOTljt
7KV30J142MyIJ1ter5USKqZ8NflNwSi3onwio894ydHVOkEbEb6KmRRQBci5V519
Egyx6sesfQ==
=3LZF
-----END PGP SIGNATURE-----
pgpHy3JT3rxk5.pgp
Description: PGP signature
--- End Message ---
