Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard
verified publisher icon flatcar

update: libxslt

Open dongsupark opened this issue 2 months ago • 2 comments

Name: libxslt CVEs: ~~CVE-2025-9714,~~ CVE-2025-10911, CVE-2025-11731 CVSSs: ~~6.2~~, 5.3, 6.2 Action Needed: upgrade to >= 1.1.43-r2

Summary:

  • ~~CVE-2025-9714: Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions xmlXPathRunEval, xmlXPathCtxtCompile, and xmlXPathEvalExpr were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.~~
    • https://gitlab.gnome.org/GNOME/libxslt/-/issues/148
  • CVE-2025-10911: A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash.
    • https://gitlab.gnome.org/GNOME/libxslt/-/issues/144
    • https://bugzilla.redhat.com/show_bug.cgi?id=2397838
  • CVE-2025-11731: Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions

refmap.gentoo: https://bugs.gentoo.org/964753

dongsupark avatar Oct 09 '25 08:10 dongsupark

Added CVE-2025-11731

tormath1 avatar Oct 22 '25 08:10 tormath1

Removed a reject one CVE-2025-9714.

dongsupark avatar Dec 08 '25 14:12 dongsupark