| Package | libxml2 |
|---|---|
| Version | 2.9.1+dfsg1-5+deb8u15 (jessie), 2.9.4+dfsg1-2.2+deb9u10 (stretch) |
| Related CVEs | CVE-2017-5130 CVE-2017-5969 CVE-2023-28484 CVE-2023-29469 |
Multiple issues were found in libxml2, the GNOME XML library, which possibly allows an remote attacker to trigger a potential heap memory corruption or trigger a denial of service or other unspecified impact.
The Jessie update 2.9.1+dfsg1-5+deb8u15 fixes all mentioned CVEs. The Stretch update 2.9.4+dfsg1-2.2+deb9u10 fixes CVE-2023-28484 and CVE-2023-29469, as the other have been fixed by an previous upload – see DLA-2972-1 for details.
CVE-2017-5130
An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in
Google Chrome prior to 62.0.3202.62 and other products, allowed a remote
attacker to potentially exploit heap corruption via a crafted XML file.
CVE-2017-5969
libxml2 2.9.4, when used in recover mode, allows one to cause a denial
of service (NULL pointer dereference) via a crafted XML document.
CVE-2023-28484
NULL dereference in xmlSchemaFixupComplexType.
CVE-2023-29469
Hashing of empty dict strings isn't deterministic.
For Debian 8 jessie, these problems have been fixed in version 2.9.1+dfsg1-5+deb8u15.
For Debian 9 stretch, these problems have been fixed in version 2.9.4+dfsg1-2.2+deb9u10.
We recommend that you upgrade your libxml2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.