Explore top 10 tips to secure your open-source projects now. Read More
×* bsc#1241453 * bsc#1241551 Cross-References: * CVE-2025-32414 . # Security update for libxml2 Announcement ID: SUSE-SU-2025:20364-1 Release Date: 2025-05-28T09:00:31Z Rating: moderate References: * bsc#1241453 * bsc#1241551 Cross-References: * CVE-2025-32414 * CVE-2025-32415 CVSS scores: * CVE-2025-32414 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L * CVE-2025-32414 ( SUSE ): 5.6 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L * CVE-2025-32414 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-32414 ( NVD ): 5.6 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L * CVE-2025-32415 ( SUSE ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2025-32415 ( NVD ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2025-32415 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Micro 6.1 An update that solves two vulnerabilities can now be installed. ## Description: This update for libxml2 fixes the following issues: * CVE-2025-32414: Fixed out-of-bounds read when parsing text via the Python API (bsc#1241551). * CVE-2025-32415: Fixed heap-based buffer under-read via crafted XML documents (bsc#1241453). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.1 zypper in -t patch SUSE-SLE-Micro-6.1-126=1 ## Package List: * SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64) * libxml2-2-debuginfo-2.11.6-slfo.1.1_3.1 * libxml2-2-2.11.6-slfo.1.1_3.1 * libxml2-debugsource-2.11.6-slfo.1.1_3.1 * libxml2-tools-debuginfo-2.11.6-slfo.1.1_3.1 * libxml2-tools-2.11.6-slfo.1.1_3.1 ## References: * https://www.suse.com/security/cve/CVE-2025-32414.html * https://www.suse.com/security/cve/CVE-2025-32415.html * https://bugzilla.suse.com/show_bug.cgi?id=1241453 * https://bugzilla.suse.com/show_bug.cgi?id=1241551 . This patch resolves libxml2 security issues in SUSE Linux Micro 6.1, featuring essential corrections for XML processing.. libxml2 vulnerabilities, SUSE security updates, buffer under-read fixes, XML parser security. . LinuxSecurity.com Team
Several security issues were fixed in libxmltok.. ========================================================================== Ubuntu Security Notice USN-7199-1 January 13, 2025 libxmltok vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in libxmltok. Software Description: - libxmltok: XML Parser Toolkit, runtime libraries Details: It was discovered that Expat, contained within the xmltok library, incorrectly handled malformed XML data. If a user or application were tricked into opening a crafted XML file, an attacker could cause a denial of service, or possibly execute arbitrary code. (CVE-2015-1283, CVE-2016-0718, CVE-2016-4472, CVE-2019-15903) It was discovered that Expat, contained within the xmltok library, incorrectly handled XML data containing a large number of colons, which could lead to excessive resource consumption. If a user or application were tricked into opening a crafted XML file, an attacker could possibly use this issue to cause a denial of service. (CVE-2018-20843) It was discovered that Expat, contained within the xmltok library, incorrectly handled certain input, which could lead to an integer overflow. If a user or application were tricked into opening a crafted XML file, an attacker could possibly use this issue to cause a denial of service. (CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 libxmltok1t64 1.2-4.1ubuntu3.1 Ubuntu 24.04 LTS libxmltok1t64 1.2-4.1ubuntu2.24.0.4.1+esm2 Available with Ubuntu Pro Ubuntu 22.04 LTS libxmltok1 1.2-4ubuntu0.22.04.1~esm4 Available with Ubuntu Pro Ubuntu 20.04 LTS libxmltok1 1.2-4ubuntu0.20.04.1~esm4 Available with Ubuntu Pro Ubuntu 18.04 LTS libxmltok1 1.2-4ubuntu0.18.04.1~esm4 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7199-1 CVE-2015-1283, CVE-2016-0718, CVE-2016-4472, CVE-2018-20843, CVE-2019-15903, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827 Package Information: https://launchpad.net/ubuntu/+source/libxmltok/1.2-4.1ubuntu3.1 . Recent assessments show security vulnerabilities in libxmltok affecting Ubuntu releases. Users should upgrade to patched versions to enhance security and stability. libxmltok vulnerabilities, Ubuntu security updates, XML data exploit. . Severity: Critical. LinuxSecurity.com Team
Update to 2.6.4. Backport fix for CVE-2024-50602.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-cdde5c873d 2024-11-19 01:21:30.375425 -------------------------------------------------------------------------------- Name : mingw-expat Product : Fedora 40 Version : 2.6.4 Release : 1.fc40 URL : http://www.libexpat.org/ Summary : MinGW Windows port of expat XML parser library Description : This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with the parser prior to starting the parse. These handlers are called when the parser discovers the associated structures in the document being parsed. A start tag is an example of the kind of structures for which you may register handlers. -------------------------------------------------------------------------------- Update Information: Update to 2.6.4. Backport fix for CVE-2024-50602. -------------------------------------------------------------------------------- ChangeLog: * Sat Nov 9 2024 Sandro Mani - 2.6.4-1 - Update to 2.6.4 * Tue Nov 5 2024 Sandro Mani - 2.6.3-2 - Backport patch for CVE-2024-50602 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2322195 - CVE-2024-50602 mingw-expat: DoS via XML_ResumeParser [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2322195 [ 2 ] Bug #2322230 - CVE-2024-50602 mingw-expat: DoS via XML_ResumeParser [fedora-39] https://bugzilla.redhat.com/show_bug.cgi?id=2322230 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-cdde5c873d' at the command line. For more information, refer to the dnf documentation availableat http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Update to expat-2.6.3.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-c5d55d5845 2024-09-13 20:43:08.472730 -------------------------------------------------------------------------------- Name : mingw-expat Product : Fedora 41 Version : 2.6.3 Release : 1.fc41 URL : http://www.libexpat.org/ Summary : MinGW Windows port of expat XML parser library Description : This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with the parser prior to starting the parse. These handlers are called when the parser discovers the associated structures in the document being parsed. A start tag is an example of the kind of structures for which you may register handlers. -------------------------------------------------------------------------------- Update Information: Update to expat-2.6.3. -------------------------------------------------------------------------------- ChangeLog: * Thu Sep 5 2024 Sandro Mani - 2.6.3-1 - Update to 2.6.3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2308682 - CVE-2024-45490 mingw-expat: Negative Length Parsing Vulnerability in libexpat [fedora-39] https://bugzilla.redhat.com/show_bug.cgi?id=2308682 [ 2 ] Bug #2308684 - CVE-2024-45490 mingw-expat: Negative Length Parsing Vulnerability in libexpat [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2308684 [ 3 ] Bug #2310142 - CVE-2024-45491 mingw-expat: Integer Overflow or Wraparound [fedora-39] https://bugzilla.redhat.com/show_bug.cgi?id=2310142 [ 4 ] Bug #2310145 - CVE-2024-45491 mingw-expat: Integer Overflow or Wraparound [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2310145 [ 5 ] Bug #2310148 - CVE-2024-45492 mingw-expat: integer overflow [fedora-39] https://bugzilla.redhat.com/show_bug.cgi?id=2310148 [ 6 ] Bug #2310151 - CVE-2024-45492 mingw-expat: integer overflow [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2310151 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-c5d55d5845' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
* bsc#1219559 Cross-References: * CVE-2023-52425 . # Security update for python3 Announcement ID: SUSE-SU-2024:1657-1 Rating: moderate References: * bsc#1219559 Cross-References: * CVE-2023-52425 CVSS scores: * CVE-2023-52425 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-52425 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Enterprise High Performance Computing 12 SP2 * SUSE Linux Enterprise High Performance Computing 12 SP3 * SUSE Linux Enterprise High Performance Computing 12 SP4 * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 * SUSE Linux Enterprise Server 12 SP1 * SUSE Linux Enterprise Server 12 SP2 * SUSE Linux Enterprise Server 12 SP3 * SUSE Linux Enterprise Server 12 SP4 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 12 * SUSE Linux Enterprise Server for SAP Applications 12 SP1 * SUSE Linux Enterprise Server for SAP Applications 12 SP2 * SUSE Linux Enterprise Server for SAP Applications 12 SP3 * SUSE Linux Enterprise Server for SAP Applications 12 SP4 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 * SUSE Linux Enterprise Software Development Kit 12 SP5 * Web and Scripting Module 12 An update that solves one vulnerability can now be installed. ## Description: This update for python3 fixes the following issues: * CVE-2023-52425: Fixed etree XMLPullParser tests for Expat > =2.6.0 with reparse deferral (bsc#1219559). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Web and Scripting Module 12 zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2024-1657=1 * SUSE Linux Enterprise Software Development Kit 12 SP5 zypper in -t patch SUSE-SLE-SDK-12-SP5-2024-1657=1 * SUSE Linux EnterpriseHigh Performance Computing 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-1657=1 * SUSE Linux Enterprise Server 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-1657=1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-1657=1 ## Package List: * Web and Scripting Module 12 (aarch64 ppc64le s390x x86_64) * python3-base-3.4.10-25.127.1 * python3-base-debugsource-3.4.10-25.127.1 * python3-debuginfo-3.4.10-25.127.1 * python3-base-debuginfo-3.4.10-25.127.1 * libpython3_4m1_0-3.4.10-25.127.1 * python3-3.4.10-25.127.1 * libpython3_4m1_0-debuginfo-3.4.10-25.127.1 * python3-curses-3.4.10-25.127.1 * python3-debugsource-3.4.10-25.127.1 * SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64) * python3-dbm-debuginfo-3.4.10-25.127.1 * python3-base-debugsource-3.4.10-25.127.1 * python3-debuginfo-3.4.10-25.127.1 * python3-base-debuginfo-3.4.10-25.127.1 * python3-devel-3.4.10-25.127.1 * python3-debugsource-3.4.10-25.127.1 * python3-dbm-3.4.10-25.127.1 * SUSE Linux Enterprise Software Development Kit 12 SP5 (ppc64le s390x x86_64) * python3-devel-debuginfo-3.4.10-25.127.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64) * python3-base-3.4.10-25.127.1 * python3-base-debugsource-3.4.10-25.127.1 * python3-curses-debuginfo-3.4.10-25.127.1 * python3-tk-3.4.10-25.127.1 * python3-debuginfo-3.4.10-25.127.1 * python3-base-debuginfo-3.4.10-25.127.1 * python3-devel-3.4.10-25.127.1 * python3-tk-debuginfo-3.4.10-25.127.1 * libpython3_4m1_0-3.4.10-25.127.1 * python3-3.4.10-25.127.1 * libpython3_4m1_0-debuginfo-3.4.10-25.127.1 * python3-curses-3.4.10-25.127.1 * python3-debugsource-3.4.10-25.127.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64) * python3-base-debuginfo-32bit-3.4.10-25.127.1 * libpython3_4m1_0-debuginfo-32bit-3.4.10-25.127.1 * libpython3_4m1_0-32bit-3.4.10-25.127.1 * python3-devel-debuginfo-3.4.10-25.127.1 * SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64) * python3-base-3.4.10-25.127.1 * python3-base-debugsource-3.4.10-25.127.1 * python3-curses-debuginfo-3.4.10-25.127.1 * python3-tk-3.4.10-25.127.1 * python3-debuginfo-3.4.10-25.127.1 * python3-base-debuginfo-3.4.10-25.127.1 * python3-devel-3.4.10-25.127.1 * python3-tk-debuginfo-3.4.10-25.127.1 * libpython3_4m1_0-3.4.10-25.127.1 * python3-3.4.10-25.127.1 * libpython3_4m1_0-debuginfo-3.4.10-25.127.1 * python3-curses-3.4.10-25.127.1 * python3-debugsource-3.4.10-25.127.1 * SUSE Linux Enterprise Server 12 SP5 (ppc64le s390x x86_64) * python3-devel-debuginfo-3.4.10-25.127.1 * SUSE Linux Enterprise Server 12 SP5 (s390x x86_64) * python3-base-debuginfo-32bit-3.4.10-25.127.1 * libpython3_4m1_0-debuginfo-32bit-3.4.10-25.127.1 * libpython3_4m1_0-32bit-3.4.10-25.127.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64) * python3-base-3.4.10-25.127.1 * python3-base-debugsource-3.4.10-25.127.1 * python3-curses-debuginfo-3.4.10-25.127.1 * python3-tk-3.4.10-25.127.1 * python3-debuginfo-3.4.10-25.127.1 * python3-base-debuginfo-3.4.10-25.127.1 * python3-devel-3.4.10-25.127.1 * python3-devel-debuginfo-3.4.10-25.127.1 * python3-tk-debuginfo-3.4.10-25.127.1 * libpython3_4m1_0-3.4.10-25.127.1 * python3-3.4.10-25.127.1 * libpython3_4m1_0-debuginfo-3.4.10-25.127.1 * python3-curses-3.4.10-25.127.1 * python3-debugsource-3.4.10-25.127.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64) * python3-base-debuginfo-32bit-3.4.10-25.127.1 * libpython3_4m1_0-debuginfo-32bit-3.4.10-25.127.1 * libpython3_4m1_0-32bit-3.4.10-25.127.1 ## References: * https://www.suse.com/security/cve/CVE-2023-52425.html * https://bugzilla.suse.com/show_bug.cgi?id=1219559 . SUSE Security Notice: Refresh for python3 totackle moderate risks and enhance protection.. SUSE Security Advisory, Python3 Update, IT Security Updates. . LinuxSecurity.com Team
Update to 2.6.1, backport fix for CVE-2024-28757.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-afb73e6f62 2024-03-23 00:20:56.400435 -------------------------------------------------------------------------------- Name : mingw-expat Product : Fedora 40 Version : 2.6.1 Release : 1.fc40 URL : http://www.libexpat.org/ Summary : MinGW Windows port of expat XML parser library Description : This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with the parser prior to starting the parse. These handlers are called when the parser discovers the associated structures in the document being parsed. A start tag is an example of the kind of structures for which you may register handlers. -------------------------------------------------------------------------------- Update Information: Update to 2.6.1, backport fix for CVE-2024-28757. -------------------------------------------------------------------------------- ChangeLog: * Sun Mar 10 2024 Sandro Mani - 2.6.1-1 - Update to 2.6.1 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2268768 - TRIAGE CVE-2024-28757 mingw-expat: libexpat: XML Entity Expansion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2268768 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-afb73e6f62' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Even Rouault discovered that xerces-c, a validating XML parser library for C++, was vulnerable to integer overflow via crafted .xsd files, which can lead to out-of-bounds access. . ------------------------------------------------------------------------- Debian LTS Advisory DLA-3704-1
Update to 3.2.5, fixing CVE-2018-1311 and CVE-2023-37536. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-817ecc703f 2023-12-31 02:26:36.418718 -------------------------------------------------------------------------------- Name : xerces-c Product : Fedora 39 Version : 3.2.5 Release : 1.fc39 URL : https://xerces.apache.org/xerces-c/ Summary : Validating XML Parser Description : Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards: XML 1.0 (Third Edition), XML 1.1 (First Edition), DOM Level 1, 2, 3 Core, DOM Level 2.0 Traversal and Range, DOM Level 3.0 Load and Save, SAX 1.0 and SAX 2.0, Namespaces in XML, Namespaces in XML 1.1, XML Schema, XML Inclusions). -------------------------------------------------------------------------------- Update Information: Update to 3.2.5, fixing CVE-2018-1311 and CVE-2023-37536 -------------------------------------------------------------------------------- ChangeLog: * Fri Dec 22 2023 Kalev Lember - 3.2.5-1 - Update to 3.2.5, fixing CVE-2018-1311 and CVE-2023-37536 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1788472 - CVE-2018-1311 xerces-c: XML parser contains a use-after-free error triggered during the scanning of external DTDs https://bugzilla.redhat.com/show_bug.cgi?id=1788472 [ 2 ] Bug #2243426 - CVE-2023-37536 xerces-c: An integer overflow issue that allows remote attackers to cause out-of-bound access via HTTP request https://bugzilla.redhat.com/show_bug.cgi?id=2243426 -------------------------------------------------------------------------------- This update canbe installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-817ecc703f' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Get the latest Linux and open source security news straight to your inbox.