Debian dla-4251 : libxml2 - security update

low Nessus Plugin ID 242881

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4251 advisory.

------------------------------------------------------------------------- Debian LTS Advisory DLA-4251-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin July 26, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libxml2 Version : 2.9.10+dfsg-6.7+deb11u8 CVE ID : CVE-2024-34459 CVE-2025-6021 CVE-2025-6170 CVE-2025-49794 CVE-2025-49796 Debian Bug : 1071162 1107720 1107755 1107938

Multiple security issues were found in libxml2, the GNOME XML library, which could yield to denial of service or potentially arbitrary code execution.

CVE-2024-34459

Zhineng Zhong discovered that formatting error messages with `xmllint
--htmlout` could result in a buffer over-read.

CVE-2025-6021

Ahmed Lekssays discovered an integer overflow issue in `xmlBuildQName()` which could result in memory corruption or a denial of service when processing crafted input.

CVE-2025-6170

Ahmed Lekssays discovered a stack-based buffer overflow issue in the command-parsing logic of the interactive shell in xmllint.

CVE-2025-49794

Nikita Sveshnikov discovered a heap use-after-free issue in the schematron. When processing XPath expressions in Schematron schema elements `<sch:name path=/>`, a pointer to freed memory is returned and then accessed, leading to undefined behavior or potential crashes.

CVE-2025-49796

Nikita Sveshnikov discovered a type confusion issue in the schematron. Processing `sch:name` elements and accessing namespace information may lead to leading to memory corruption or undefined behavior.

For Debian 11 bullseye, these problems have been fixed in version 2.9.10+dfsg-6.7+deb11u8.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the libxml2 packages.

Plugin Details

Severity: Low

ID: 242881

File Name: debian_DLA-4251.nasl

Version: 1.2

Type: local

Agent: unix

Family: Debian Local Security Checks

Published: 7/27/2025

Updated: 10/3/2025

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Low

Base Score: 1.2

Temporal Score: 0.9

Vector: CVSS2#AV:L/AC:H/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2025-6170

CVSS v3

Risk Factor: Low

Base Score: 2.5

Temporal Score: 2.2

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:libxml2-utils, p-cpe:/a:debian:debian_linux:python3-libxml2-dbg, p-cpe:/a:debian:debian_linux:python3-libxml2, p-cpe:/a:debian:debian_linux:libxml2-dev, p-cpe:/a:debian:debian_linux:libxml2, p-cpe:/a:debian:debian_linux:libxml2-doc

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 7/26/2025

Vulnerability Publication Date: 12/12/2023

Reference Information

CVE: CVE-2024-34459, CVE-2025-49794, CVE-2025-49796, CVE-2025-6021, CVE-2025-6170

IAVA: 2024-A-0067-S, 2025-A-0707

Detections

Analytics