Your message dated Fri, 29 Aug 2025 16:03:12 +0000
with message-id <[email protected]>
and subject line Bug#1109122: fixed in libxml2 2.9.14+dfsg-1.3~deb12u4
has caused the Debian Bug report #1109122,
regarding libxslt: CVE-2025-7425
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109122
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxslt
Version: 1.1.35-1.2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libxslt.
CVE-2025-7425[0]:
| A flaw was found in libxslt where the attribute type, atype, flags
| are modified in a way that corrupts internal memory management. When
| XSLT functions, such as the key() process, result in tree fragments,
| this corruption prevents the proper cleanup of ID attributes. As a
| result, the system may access freed memory, causing crashes or
| enabling attackers to trigger heap corruption.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-7425
https://www.cve.org/CVERecord?id=CVE-2025-7425
[1] https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxml2
Source-Version: 2.9.14+dfsg-1.3~deb12u4
Done: Aron Xu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <[email protected]> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 Aug 2025 19:30:10 +0800
Source: libxml2
Architecture: source
Version: 2.9.14+dfsg-1.3~deb12u4
Distribution: bookworm-security
Urgency: high
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Aron Xu <[email protected]>
Closes: 1109122
Changes:
libxml2 (2.9.14+dfsg-1.3~deb12u4) bookworm-security; urgency=high
.
* CVE-2025-7425: heap-use-after-free in xmlFreeID caused by `atype`
corruption (Closes: #1109122)
Checksums-Sha1:
80fb2ce26b06546782096a41f005995db8b62bdb 2610
libxml2_2.9.14+dfsg-1.3~deb12u4.dsc
7d2e24cfb589e210f39cdb931bc5b92901b41aae 47500
libxml2_2.9.14+dfsg-1.3~deb12u4.debian.tar.xz
4d612eefe67ad9f8ac4c6afee72f3f583b36c90b 5253
libxml2_2.9.14+dfsg-1.3~deb12u4_source.buildinfo
Checksums-Sha256:
de59e0146715a6edb188729823fe13a597b2b9968c69f7e9e32b4c7ef2ad06e1 2610
libxml2_2.9.14+dfsg-1.3~deb12u4.dsc
8c2f4b1b03579a3010c4135e57c7754544bf8085960537532faaa0feb0f2930b 47500
libxml2_2.9.14+dfsg-1.3~deb12u4.debian.tar.xz
9200c75c615988ee4240ee12aa0b245a6f3c89c15896e1ada78fb0f85e1330af 5253
libxml2_2.9.14+dfsg-1.3~deb12u4_source.buildinfo
Files:
a698c4e092a04feff907da03ce9607ee 2610 libs optional
libxml2_2.9.14+dfsg-1.3~deb12u4.dsc
6de00eaa645f857fe82e99ed09cbe05a 47500 libs optional
libxml2_2.9.14+dfsg-1.3~deb12u4.debian.tar.xz
d2304bb4d4a32450169d24bd48c5229a 5253 libs optional
libxml2_2.9.14+dfsg-1.3~deb12u4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEBLHAyuu1xqoC2aJ5NP8o68vMTMgFAmisSpoACgkQNP8o68vM
TMg/EAf+JnrWJZ6P6dCJG+mRQjURLZGmNCMtQ+esFOCwNhti6Mx5nmDtBfFDB2mY
VuiCd6/xYLwRSOh1HHfwNFEE4+V7YXtgJRF8Jb9SoYHtmMq/gl/yaa2oSIv8YhnK
auaiwGK2VcAEvuuMdjf5+qqEQG8qhcWysHPho4XDyUAbTY1pHSObBn+ojvcWYCIo
r0PMy1rXgkYYUUqcuD0xz0SNX7OMQ6m20Fnl9edpTeL31b34R+bogLWkfzV+1aJ8
ecOyLNycfzCp5tt9YIDA1y7ENO5EUrHn4ohT3n1swTxi0UawosRFV4KPmk6Rzo9y
VI0UaPyufrI3m+t9qpMPWQM/x6Smrw==
=gRtm
-----END PGP SIGNATURE-----
pgpx8q4LEvmQj.pgp
Description: PGP signature
--- End Message ---
