* [Buildroot] [PATCH 1/1] package/libxml2: security bump to version 2.12.5
@ 2024-03-01 19:56 Fabrice Fontaine
2024-03-01 21:03 ` Peter Korsgaard
2024-03-18 15:19 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2024-03-01 19:56 UTC (permalink / raw)
To: buildroot; +Cc: Pierre-Jean Texier, Fabrice Fontaine
Fix CVE-2024-25062: An issue was discovered in libxml2 before 2.11.7 and
2.12.x before 2.12.5. When using the XML Reader interface with DTD
validation and XInclude expansion enabled, processing crafted XML
documents can lead to an xmlValidatePopElement use-after-free.
https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.12.5/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/libxml2/libxml2.hash | 4 ++--
package/libxml2/libxml2.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/libxml2/libxml2.hash b/package/libxml2/libxml2.hash
index 670ff80a41..959887ab0e 100644
--- a/package/libxml2/libxml2.hash
+++ b/package/libxml2/libxml2.hash
@@ -1,4 +1,4 @@
-# From https://download.gnome.org/sources/libxml2/2.12/libxml2-2.12.3.sha256sum
-sha256 8c8f1092340a89ff32bc44ad5c9693aff9bc8a7a3e161bb239666e5d15ac9aaa libxml2-2.12.3.tar.xz
+# From https://download.gnome.org/sources/libxml2/2.12/libxml2-2.12.5.sha256sum
+sha256 a972796696afd38073e0f59c283c3a2f5a560b5268b4babc391b286166526b21 libxml2-2.12.5.tar.xz
# License files, locally calculated
sha256 7fb0a66f3989f9bd5c7e5438a3de02cd4a7a47dde0aea2f7ea2ba2ff454ee6a4 Copyright
diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk
index 1893206ccb..6070c07b03 100644
--- a/package/libxml2/libxml2.mk
+++ b/package/libxml2/libxml2.mk
@@ -5,7 +5,7 @@
################################################################################
LIBXML2_VERSION_MAJOR = 2.12
-LIBXML2_VERSION = $(LIBXML2_VERSION_MAJOR).3
+LIBXML2_VERSION = $(LIBXML2_VERSION_MAJOR).5
LIBXML2_SOURCE = libxml2-$(LIBXML2_VERSION).tar.xz
LIBXML2_SITE = \
https://download.gnome.org/sources/libxml2/$(LIBXML2_VERSION_MAJOR)
--
2.43.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libxml2: security bump to version 2.12.5
2024-03-01 19:56 [Buildroot] [PATCH 1/1] package/libxml2: security bump to version 2.12.5 Fabrice Fontaine
@ 2024-03-01 21:03 ` Peter Korsgaard
2024-03-18 15:19 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2024-03-01 21:03 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Pierre-Jean Texier, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fix CVE-2024-25062: An issue was discovered in libxml2 before 2.11.7 and
> 2.12.x before 2.12.5. When using the XML Reader interface with DTD
> validation and XInclude expansion enabled, processing crafted XML
> documents can lead to an xmlValidatePopElement use-after-free.
> https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.12.5/NEWS
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libxml2: security bump to version 2.12.5
2024-03-01 19:56 [Buildroot] [PATCH 1/1] package/libxml2: security bump to version 2.12.5 Fabrice Fontaine
2024-03-01 21:03 ` Peter Korsgaard
@ 2024-03-18 15:19 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2024-03-18 15:19 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Pierre-Jean Texier, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fix CVE-2024-25062: An issue was discovered in libxml2 before 2.11.7 and
> 2.12.x before 2.12.5. When using the XML Reader interface with DTD
> validation and XInclude expansion enabled, processing crafted XML
> documents can lead to an xmlValidatePopElement use-after-free.
> https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.12.5/NEWS
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
For 2023.02.x and 2023.11.x I have instead bumped to 2.11.7, which
contains the same fix.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-03-18 15:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-01 19:56 [Buildroot] [PATCH 1/1] package/libxml2: security bump to version 2.12.5 Fabrice Fontaine
2024-03-01 21:03 ` Peter Korsgaard
2024-03-18 15:19 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox