[Buildroot] [git commit branch/2025.08.x] package/xerces: security bump to v3.2.5

Arnout Vandecappelle arnout at rnout.be
Thu Oct 30 08:18:06 UTC 2025 

commit: https://git.buildroot.net/buildroot/commit/?id=5bec02afe46c6725060b961353056725ed3ff1bf
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2025.08.x

See the release notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352411&projectId=10510

Also update the download site to https

This fixes the following vulnerability:
- CVE-2024-23807:
    The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5
    contains a use-after-free error triggered during the scanning of
    external DTDs.  Users are recommended to upgrade to version 3.2.5
    which fixes the issue, or mitigate the issue by disabling DTD
    processing. This can be accomplished via the DOM using a standard
    parser feature, or via SAX using the XERCES_DISABLE_DTD environment
    variable.  This issue has been disclosed before as CVE-2018-1311, but
    unfortunately that advisory incorrectly stated the issue would be
    fixed in version 3.2.3 or 3.2.4.
    https://www.cve.org/CVERecord?id=CVE-2024-23807

Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
Signed-off-by: Julien Olivain <ju.o at free.fr>
(cherry picked from commit 246f2eca20b26f0c35ffc7eee72edf690815608d)
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
 package/xerces/xerces.hash | 4 ++--
 package/xerces/xerces.mk   | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/xerces/xerces.hash b/package/xerces/xerces.hash
index e6b5b922d2..52c22ee826 100644
--- a/package/xerces/xerces.hash
+++ b/package/xerces/xerces.hash
@@ -1,5 +1,5 @@
-# From http://www.apache.org/dist/xerces/c/3/sources/xerces-c-3.2.4.tar.xz.sha256
-sha256  075bc57940da0f9be6dd183c550c8ce0b9833e4550dc382048377a1a5e3b2bd9  xerces-c-3.2.4.tar.xz
+# From https://archive.apache.org/dist/xerces/c/3/sources/xerces-c-3.2.5.tar.gz.sha256
+sha256  545cfcce6c4e755207bd1f27e319241e50e37c0c27250f11cda116018f1ef0f5  xerces-c-3.2.5.tar.gz
 
 # Hash for license file
 sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE
diff --git a/package/xerces/xerces.mk b/package/xerces/xerces.mk
index 08efa6fb5c..7734cff0d2 100644
--- a/package/xerces/xerces.mk
+++ b/package/xerces/xerces.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-XERCES_VERSION = 3.2.4
-XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.xz
-XERCES_SITE = http://archive.apache.org/dist/xerces/c/3/sources
+XERCES_VERSION = 3.2.5
+XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.gz
+XERCES_SITE = https://archive.apache.org/dist/xerces/c/3/sources
 XERCES_LICENSE = Apache-2.0
 XERCES_LICENSE_FILES = LICENSE
 XERCES_CPE_ID_VENDOR = apache

More information about the buildroot mailing list