[Buildroot] [PATCH 1/2] package/xerces: security bump to v3.2.5
Titouan Christophe
titouan.christophe at mind.be
Tue Oct 21 16:23:29 UTC 2025
See the release notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352411&projectId=10510
Also update the download site to https
This fixes the following vulnerability:
- CVE-2024-23807:
The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5
contains a use-after-free error triggered during the scanning of
external DTDs. Users are recommended to upgrade to version 3.2.5
which fixes the issue, or mitigate the issue by disabling DTD
processing. This can be accomplished via the DOM using a standard
parser feature, or via SAX using the XERCES_DISABLE_DTD environment
variable. This issue has been disclosed before as CVE-2018-1311, but
unfortunately that advisory incorrectly stated the issue would be
fixed in version 3.2.3 or 3.2.4.
https://www.cve.org/CVERecord?id=CVE-2024-23807
Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
---
package/xerces/xerces.hash | 4 ++--
package/xerces/xerces.mk | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/package/xerces/xerces.hash b/package/xerces/xerces.hash
index e6b5b922d2..52c22ee826 100644
--- a/package/xerces/xerces.hash
+++ b/package/xerces/xerces.hash
@@ -1,5 +1,5 @@
-# From http://www.apache.org/dist/xerces/c/3/sources/xerces-c-3.2.4.tar.xz.sha256
-sha256 075bc57940da0f9be6dd183c550c8ce0b9833e4550dc382048377a1a5e3b2bd9 xerces-c-3.2.4.tar.xz
+# From https://archive.apache.org/dist/xerces/c/3/sources/xerces-c-3.2.5.tar.gz.sha256
+sha256 545cfcce6c4e755207bd1f27e319241e50e37c0c27250f11cda116018f1ef0f5 xerces-c-3.2.5.tar.gz
# Hash for license file
sha256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 LICENSE
diff --git a/package/xerces/xerces.mk b/package/xerces/xerces.mk
index 08efa6fb5c..7734cff0d2 100644
--- a/package/xerces/xerces.mk
+++ b/package/xerces/xerces.mk
@@ -4,9 +4,9 @@
#
################################################################################
-XERCES_VERSION = 3.2.4
-XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.xz
-XERCES_SITE = http://archive.apache.org/dist/xerces/c/3/sources
+XERCES_VERSION = 3.2.5
+XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.gz
+XERCES_SITE = https://archive.apache.org/dist/xerces/c/3/sources
XERCES_LICENSE = Apache-2.0
XERCES_LICENSE_FILES = LICENSE
XERCES_CPE_ID_VENDOR = apache
--
2.51.0
More information about the buildroot
mailing list