| Message ID | 20240301195619.863853-1-fontaine.fabrice@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/libxml2: security bump to version 2.12.5 | expand |
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > Fix CVE-2024-25062: An issue was discovered in libxml2 before 2.11.7 and > 2.12.x before 2.12.5. When using the XML Reader interface with DTD > validation and XInclude expansion enabled, processing crafted XML > documents can lead to an xmlValidatePopElement use-after-free. > https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.12.5/NEWS > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed, thanks.
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > Fix CVE-2024-25062: An issue was discovered in libxml2 before 2.11.7 and > 2.12.x before 2.12.5. When using the XML Reader interface with DTD > validation and XInclude expansion enabled, processing crafted XML > documents can lead to an xmlValidatePopElement use-after-free. > https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.12.5/NEWS > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> For 2023.02.x and 2023.11.x I have instead bumped to 2.11.7, which contains the same fix.
diff --git a/package/libxml2/libxml2.hash b/package/libxml2/libxml2.hash index 670ff80a41..959887ab0e 100644 --- a/package/libxml2/libxml2.hash +++ b/package/libxml2/libxml2.hash @@ -1,4 +1,4 @@ -# From https://download.gnome.org/sources/libxml2/2.12/libxml2-2.12.3.sha256sum -sha256 8c8f1092340a89ff32bc44ad5c9693aff9bc8a7a3e161bb239666e5d15ac9aaa libxml2-2.12.3.tar.xz +# From https://download.gnome.org/sources/libxml2/2.12/libxml2-2.12.5.sha256sum +sha256 a972796696afd38073e0f59c283c3a2f5a560b5268b4babc391b286166526b21 libxml2-2.12.5.tar.xz # License files, locally calculated sha256 7fb0a66f3989f9bd5c7e5438a3de02cd4a7a47dde0aea2f7ea2ba2ff454ee6a4 Copyright diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk index 1893206ccb..6070c07b03 100644 --- a/package/libxml2/libxml2.mk +++ b/package/libxml2/libxml2.mk @@ -5,7 +5,7 @@ ################################################################################ LIBXML2_VERSION_MAJOR = 2.12 -LIBXML2_VERSION = $(LIBXML2_VERSION_MAJOR).3 +LIBXML2_VERSION = $(LIBXML2_VERSION_MAJOR).5 LIBXML2_SOURCE = libxml2-$(LIBXML2_VERSION).tar.xz LIBXML2_SITE = \ https://download.gnome.org/sources/libxml2/$(LIBXML2_VERSION_MAJOR)
Fix CVE-2024-25062: An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.12.5/NEWS Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/libxml2/libxml2.hash | 4 ++-- package/libxml2/libxml2.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)