Skip to content

Apply upstream patches to address multiple vulnerabilities#3526

Merged
flavorjones merged 1 commit into
v1.18.xfrom
flavorjones/libxml2-2.13-security-patches
Jul 21, 2025
Merged

Apply upstream patches to address multiple vulnerabilities#3526
flavorjones merged 1 commit into
v1.18.xfrom
flavorjones/libxml2-2.13-security-patches

Conversation

@flavorjones

@flavorjones flavorjones commented Jul 20, 2025

Copy link
Copy Markdown
Member

What problem is this PR intended to solve?

Address multiple vulnerabilities that are patched in libxml 2.14.4 and 2.14.5 but do not appear in an official 2.13.x release.

  • CVE-2025-6021 - 17d950ae "tree: Fix integer overflow in xmlBuildQName"
  • CVE-2025-6170 - 5e9ec5c1 "Fix potential buffer overflows of interactive shell"
  • CVE-2025-49794 - 81cef8c5 "schematron: Fix xmlSchematronReportOutput"
  • CVE-2025-49795 - 62048278 "schematron: Fix null pointer dereference leading to DoS"
  • CVE-2025-49796 - 81cef8c5 "schematron: Fix xmlSchematronReportOutput"

See related GHSA-353f-x4gh-cqq8 which will be published when these patches appear in a release.

@flavorjones
Apply upstream patches to address multiple vulnerabilities
947a55e 
- CVE-2025-6021 - 17d950ae "tree: Fix integer overflow in xmlBuildQName"
- CVE-2025-6170 - 5e9ec5c1 "Fix potential buffer overflows of interactive shell"
- CVE-2025-49794 - 81cef8c5 "schematron: Fix xmlSchematronReportOutput"
- CVE-2025-49795 - 62048278 "schematron: Fix null pointer dereference leading to DoS"
- CVE-2025-49796 - 81cef8c5 "schematron: Fix xmlSchematronReportOutput"
@flavorjones

flavorjones commented Jul 20, 2025

Copy link
Copy Markdown
Member Author

cc @elken @rekhaagarwal09

@flavorjones flavorjones mentioned this pull request Jul 20, 2025
Merged
@flavorjones flavorjones added this to the v1.18.x patch releases milestone Jul 20, 2025
@elken

elken commented Jul 20, 2025

Copy link
Copy Markdown

Thanks so much @flavorjones.

https://xkcd.com/2347/ feels very relevant here 😄

@flavorjones flavorjones merged commit a05d2b4 into v1.18.x Jul 21, 2025
140 of 145 checks passed
@flavorjones flavorjones deleted the flavorjones/libxml2-2.13-security-patches branch July 21, 2025 02:02
@rekhaagarwal09

rekhaagarwal09 commented Jul 21, 2025

Copy link
Copy Markdown

Thank you so much @flavorjones

@flavorjones

flavorjones commented Jul 21, 2025

Copy link
Copy Markdown
Member Author

This was released in v1.18.9.

@elken elken mentioned this pull request Jul 21, 2025
Closed
@github-actions github-actions Bot mentioned this pull request Jul 22, 2025
Closed
@Splines Splines mentioned this pull request Jul 22, 2025
Merged
@elken

elken commented Jul 22, 2025

Copy link
Copy Markdown

@flavorjones I've also contacted Snyk to let them know this should be resolved now so hopefully it stops being flagged soon by our systems 😄

@RalphHightower RalphHightower mentioned this pull request Jul 23, 2025
Closed
@snuggs

snuggs commented Jul 29, 2025

Copy link
Copy Markdown

This was released in v1.18.9.

Thanks for this @flavorjones. This helped solve a work issue today. 🎉

P.S. Long time since NYC💎rb. Hope you are well!

@codity-dev-utk codity-dev-utk Bot mentioned this pull request Feb 27, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

topic/security vendored/libxml2

Projects

None yet

Milestone

v1.18.x patch releases

Development

Successfully merging this pull request may close these issues.

4 participants

@flavorjones @elken @rekhaagarwal09 @snuggs