We currently vendor libxml2 2.12.6. The latest version of libxml2 is 2.13.4, which includes fixes to three vulnerabilities in 2.12.6:
CVE-2024-25062
CVE-2024-34459
CVE-2024-40896
We should upgrade libxml2 from 2.12.6 to 2.13.4 to address these vulnerabilities.
Note: it does appear that GNOME, the maintainers of libxml2, are maintaining a few different branches of libxml2 (2.12.z and 2.13.z), but the latest 2.12.z release, 2.12.9, does not include a fix for CVE-2024-25062.
We currently vendor libxml2 2.12.6. The latest version of libxml2 is 2.13.4, which includes fixes to three vulnerabilities in 2.12.6:
We should upgrade libxml2 from 2.12.6 to 2.13.4 to address these vulnerabilities.
Note: it does appear that GNOME, the maintainers of libxml2, are maintaining a few different branches of libxml2 (2.12.z and 2.13.z), but the latest 2.12.z release, 2.12.9, does not include a fix for CVE-2024-25062.