Debian alert DLA-4319-1 (libxml2)
| From: | Guilhem Moulin <guilhem@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4319-1] libxml2 security update | |
| Date: | Tue, 30 Sep 2025 23:55:26 +0200 | |
| Message-ID: | <aNxRzgh2G2ZFW5IB@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4319-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin September 30, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : libxml2 Version : 2.9.10+dfsg-6.7+deb11u9 CVE ID : CVE-2025-9714 CVE-2025-7425 Debian Bug : 1109122 Two security issues were found in libxml2, the GNOME XML library, which could yield denial of service or heap corruption. CVE-2025-9714 It was discovered that recursion evaluation in XPath evaluation is uncontrolled and therefore allows a local attacker to cause a stack overflow via crafted expressions. CVE-2025-7425 Sergei Glazunov discovered a heap-use-after-free in xmlFreeID() caused by `atype` corruption. While the vulnerability was reported against libxslt, the XSLT 1.0 processing library, it is now mitigated in this libxml2 version. For Debian 11 bullseye, this problem has been fixed in version 2.9.10+dfsg-6.7+deb11u9. We recommend that you upgrade your libxml2 packages. For the detailed security status of libxml2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxml2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmjcUcwACgkQ05pJnDwh pVIRew/9EOwoEbZWqdu3M8OER2H/8oPVtrcUEl+rsqxEJ7AWCb8ozpqKLT46KU6+ i31ZQed1fAatmkwN7BkN5fkaiMacJwp47JM7+UjX71IySkQlABAEVcX86Sr8yFlP FN4D+I5Voh0fpR41U+N8iK+RpJSUSa0iFSkwaiqsEM8l7uBtimJR9RAmp/4Nsym+ PRBS1/5VEGhtgWsVp6gAy8quL5w+mXFYngDo8+00199W+6PcnZQ4NSj6GqUEF/ge RKtq4sTdEoTD1MDTTAeogFgpFY5AAECRntBUaLVYHJhRPXd5EawL/ax35REMEr84 TV9whieHsrWD4fuLXb+NT/2w2JRY1RF09tupTOTKdEXFlvuPi0uT051c61kDOWVM IbLmIKrWEoYcfzUkKlp+jH7ppWZgwvkSbVEvH9m3x77055rUXRTRwUFOpYDSGNQw 41z3zkz4cwvfHxSYfgF8uc+B2o89z0sTiqdso4C3z1kGH8alwCNst9sKPQ6drkY7 3fObqv2eFj2bhsRN1jTc0Lx0FXA7vpBEuWiAr2F9rlRnbPr9IXB/ET4M2eBzqVyP Sa5qAIlgAx+aIPG8QIOjEL6k9NUlr/rgpQLTWAEdzBICbpXyZESa48BOtL+ZMspt 9VwYluJJHa/IQilhb4fE+HJXfGILcccnkYAqXczhgMqZJXWeebE= =VsOB -----END PGP SIGNATURE-----