CVE-2024-34459

An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.

References:

https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7
FEDORA-2024-9ffc6cc7bf
FEDORA-2024-9ffc6cc7bf
FEDORA-2024-08e01e9f2f
FEDORA-2024-08e01e9f2f
FEDORA-2024-4862425658
FEDORA-2024-4862425658

Published: 2024-12-23
Modified: 2025-02-28

CVE-2024-40896

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

References:

https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6
https://gitlab.gnome.org/GNOME/libxml2/-/issues/761
https://security.netapp.com/advisory/ntap-20250228-0004/

Version: 2.1.0

Package gem-nokogiri update in sisyphus on 2024-08-13

ALT-PU-2024-10990-2

Closed vulnerabilities

CVE-2024-34459

CVE-2024-40896