puppetlabs / puppet-runtime

runtime dependencies for Vanagon projects
Apache License 2.0
5 stars 88 forks source link

Upgrade libxml2 #916

Closed mhashizume closed 1 week ago

mhashizume commented 1 month ago

We currently vendor libxml2 2.12.6. The latest version of libxml2 is 2.13.4, which includes fixes to three vulnerabilities in 2.12.6:

We should upgrade libxml2 from 2.12.6 to 2.13.4 to address these vulnerabilities.

Note: it does appear that GNOME, the maintainers of libxml2, are maintaining a few different branches of libxml2 (2.12.z and 2.13.z), but the latest 2.12.z release, 2.12.9, does not include a fix for CVE-2024-25062.

github-actions[bot] commented 1 month ago

Migrated issue to PA-6973