Alerts This Week
Warning Icon 1 1,394
Alerts This Week
Warning Icon 1 1,394

Debian 11: DLA-4064-1 urgent: libxml2 Denial of Service vulnerabilities

debian lts
Calendar Grey February 22, 2025
Dist Debian Esm H88
Numerous vulnerabilities found in libxml2 have been resolved in the recent Debian LTS announcement. Security upgrade is advised for protection.
Multiple vulnerabilities have been found in libxml2, a library providing support to read, modify and write XML and HTML files

Summary

CVE-2022-49043

xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a
use-after-free.

CVE-2023-39615

libxml2 v2.11.0 was discovered to contain an out-of-bounds read via
the xmlSAX2StartElement() function at /libxml2/SAX2.c. This
vulnerability allows attackers to cause a Denial of Service (DoS)
via supplying a crafted XML file. NOTE: the vendor's position is
that the product does not support the legacy SAX1 interface with
custom callbacks; there is a crash even without crafted input.

CVE-2023-45322

libxml2 through 2.11.5 has a use-after-free that can only occur
after a certain memory allocation fails. This occurs in
xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't
think these issues are critical enough to warrant a CVE ID ...
because an attacker typically can't control when memory allocations
fail."

CVE-2024-25062

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: libxml2
Version: 2.9.10+dfsg-6.7+deb11u6
CVE ID: CVE-2022-49043 CVE-2023-39615 CVE-2023-45322 CVE-2024-25062
Debian Bug: 1051230 1053629 1063234 1094238 1098320 1098321 1098322

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here