[Buildroot] [PATCH 1/2] package/xerces: security bump to v3.2.5
Julien Olivain
ju.o at free.fr
Tue Oct 21 20:10:44 UTC 2025
On 21/10/2025 18:23, Titouan Christophe via buildroot wrote:
> See the release notes:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352411&projectId=10510
>
> Also update the download site to https
>
> This fixes the following vulnerability:
> - CVE-2024-23807:
> The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5
> contains a use-after-free error triggered during the scanning of
> external DTDs. Users are recommended to upgrade to version 3.2.5
> which fixes the issue, or mitigate the issue by disabling DTD
> processing. This can be accomplished via the DOM using a standard
> parser feature, or via SAX using the XERCES_DISABLE_DTD environment
> variable. This issue has been disclosed before as CVE-2018-1311,
> but
> unfortunately that advisory incorrectly stated the issue would be
> fixed in version 3.2.3 or 3.2.4.
> https://www.cve.org/CVERecord?id=CVE-2024-23807
>
> Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
Series applied to master, thanks.
More information about the buildroot
mailing list