[Buildroot] [PATCH 1/2] package/xerces: security bump to v3.2.5

Thomas Perale thomas.perale at mind.be
Thu Oct 30 08:23:46 UTC 2025 

In reply of:
> See the release notes:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352411&projectId=10510
> 
> Also update the download site to https
> 
> This fixes the following vulnerability:
> - CVE-2024-23807:
>     The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5
>     contains a use-after-free error triggered during the scanning of
>     external DTDs.  Users are recommended to upgrade to version 3.2.5
>     which fixes the issue, or mitigate the issue by disabling DTD
>     processing. This can be accomplished via the DOM using a standard
>     parser feature, or via SAX using the XERCES_DISABLE_DTD environment
>     variable.  This issue has been disclosed before as CVE-2018-1311, but
>     unfortunately that advisory incorrectly stated the issue would be
>     fixed in version 3.2.3 or 3.2.4.
>     https://www.cve.org/CVERecord?id=CVE-2024-23807
> 
> Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>

Applied to 2025.02.x & 2025.08.x. Thanks

> ---
>  package/xerces/xerces.hash | 4 ++--
>  package/xerces/xerces.mk   | 6 +++---
>  2 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/package/xerces/xerces.hash b/package/xerces/xerces.hash
> index e6b5b922d2..52c22ee826 100644
> --- a/package/xerces/xerces.hash
> +++ b/package/xerces/xerces.hash
> @@ -1,5 +1,5 @@
> -# From http://www.apache.org/dist/xerces/c/3/sources/xerces-c-3.2.4.tar.xz.sha256
> -sha256  075bc57940da0f9be6dd183c550c8ce0b9833e4550dc382048377a1a5e3b2bd9  xerces-c-3.2.4.tar.xz
> +# From https://archive.apache.org/dist/xerces/c/3/sources/xerces-c-3.2.5.tar.gz.sha256
> +sha256  545cfcce6c4e755207bd1f27e319241e50e37c0c27250f11cda116018f1ef0f5  xerces-c-3.2.5.tar.gz
>  
>  # Hash for license file
>  sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE
> diff --git a/package/xerces/xerces.mk b/package/xerces/xerces.mk
> index 08efa6fb5c..7734cff0d2 100644
> --- a/package/xerces/xerces.mk
> +++ b/package/xerces/xerces.mk
> @@ -4,9 +4,9 @@
>  #
>  ################################################################################
>  
> -XERCES_VERSION = 3.2.4
> -XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.xz
> -XERCES_SITE = http://archive.apache.org/dist/xerces/c/3/sources
> +XERCES_VERSION = 3.2.5
> +XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.gz
> +XERCES_SITE = https://archive.apache.org/dist/xerces/c/3/sources
>  XERCES_LICENSE = Apache-2.0
>  XERCES_LICENSE_FILES = LICENSE
>  XERCES_CPE_ID_VENDOR = apache
> -- 
> 2.51.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

More information about the buildroot mailing list