Your message dated Thu, 15 May 2025 08:34:49 +0000
with message-id <[email protected]>
and subject line Bug#1102521: fixed in libxml2 2.12.7+dfsg+really2.9.14-1
has caused the Debian Bug report #1102521,
regarding libxml2: CVE-2025-32414
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1102521: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102521
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxml2
Version: 2.12.7+dfsg+really2.9.14-0.4
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libxml2.
CVE-2025-32414[0]:
| In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds
| memory access can occur in the Python API (Python bindings) because
| of an incorrect return value. This occurs in xmlPythonFileRead and
| xmlPythonFileReadRaw because of a difference between bytes and
| characters.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-32414
https://www.cve.org/CVERecord?id=CVE-2025-32414
[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
Please adjust the affected versions in the BTS as needed.
Regards,
Salvtore
--- End Message ---
--- Begin Message ---
Source: libxml2
Source-Version: 2.12.7+dfsg+really2.9.14-1
Done: Aron Xu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <[email protected]> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 15 May 2025 15:34:25 +0800
Source: libxml2
Architecture: source
Version: 2.12.7+dfsg+really2.9.14-1
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Aron Xu <[email protected]>
Closes: 1051230 1053629 1063234 1102521 1103511
Changes:
libxml2 (2.12.7+dfsg+really2.9.14-1) unstable; urgency=medium
.
* Acknowledge previous NMUs.
* Security fixes:
- CVE-2023-39615: out-of-bounds read via the xmlSAX2StartElement()
(Closes: #1051230)
- CVE-2023-45322: use-after-free in xmlUnlinkNode()
(Closes: #1053629)
- CVE-2024-25062: use-after-free in xmlValidatePopElement()
(Closes: #1063234)
- CVE-2025-32414: out-of-bounds read in Python bindings
(Closes: #1102521)
- CVE-2025-32415: heap-based buffer under-read via
xmlSchemaIDCFillNodeTables() (Closes: #1103511)
Checksums-Sha1:
b97189be45f90cde97146e884421ebb927cb3f0b 2681
libxml2_2.12.7+dfsg+really2.9.14-1.dsc
acf604965fc6dc6685ac168c58adb77642dcd36b 40760
libxml2_2.12.7+dfsg+really2.9.14-1.debian.tar.xz
e6b1d496ceb426e15a96d28169070d2d8ca8d180 5704
libxml2_2.12.7+dfsg+really2.9.14-1_source.buildinfo
Checksums-Sha256:
bde8a79865bb079ecf858b54f1a89fd791135b7cff228cd63900106bb37ffae2 2681
libxml2_2.12.7+dfsg+really2.9.14-1.dsc
070629f9101eba338ddcf6e66933246a1f072e7e0eaf57c314eced6174e8fe05 40760
libxml2_2.12.7+dfsg+really2.9.14-1.debian.tar.xz
b166b2c08db4e61aba7d442d67cf0b90a8ec724b8a0aae74735927bcd9eba040 5704
libxml2_2.12.7+dfsg+really2.9.14-1_source.buildinfo
Files:
f90edcba0e46778fb3f54d286169af90 2681 libs optional
libxml2_2.12.7+dfsg+really2.9.14-1.dsc
1db86677aa23c3e7bd047cb123ead863 40760 libs optional
libxml2_2.12.7+dfsg+really2.9.14-1.debian.tar.xz
eaf3a0ab247f9179094fec1f18d6f52c 5704 libs optional
libxml2_2.12.7+dfsg+really2.9.14-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEBLHAyuu1xqoC2aJ5NP8o68vMTMgFAmgln5gACgkQNP8o68vM
TMixbAf8Cj9XhoyYQiKbIi7CM91JpqHIHRU+bL7jonHaz38MyogAtAJaNE83t325
f/n4l8oS0LznHH9zVdszWtMYhmlaaCqKi6FeJ0zVkcUZ3ib8Xv5IuYpdiPxixZ/J
18SwXnOF7ASnOyT/ETr/ib+/S8JCtIB7LXxih/OObN5SRTflrxQKqVTpgKqZJhaV
aI4d4ytRkLG6bokQ9tqzcEir2gi6DwpZQVrb2JswMmw/DsyESIQEvAgN339drKKi
oSpiqGnbmOHbbAyvDJ/VlWM2bSaB5JG2bgK7IjmZOOFJBnmBPm7WoygKR3GMHbwf
CvRP47JCEsobWdauzaQIK8chO50rhw==
=v51D
-----END PGP SIGNATURE-----
pgpXOeValpT3U.pgp
Description: PGP signature
--- End Message ---