| Name | CVE-2024-40896 |
| Description | In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libxml2 (PTS) | bullseye | 2.9.10+dfsg-6.7+deb11u4 | fixed |
| bullseye (security) | 2.9.10+dfsg-6.7+deb11u5 | fixed | |
| bookworm | 2.9.14+dfsg-1.3~deb12u1 | fixed | |
| sid, trixie | 2.12.7+dfsg+really2.9.14-0.2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libxml2 | source | (unstable) | (not affected) |
- libxml2 <not-affected> (Vulnerable code introduced later in 2.11.0)
https://gitlab.gnome.org/GNOME/libxml2/-/issues/761
Introduced with: https://gitlab.gnome.org/GNOME/libxml2/-/commit/481d79d44cf8ed864ed3d74edbeb96e8cd9ed4a7 (v2.11.0)
Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6
Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/de28e6ed3a7f18d3188dd18ac5b854b21e05d33a (v2.13.3)
Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c2b237174539db92f4504fbc5198d2f1561baca (v2.12.9)
Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/ae8f0ac0a2900219c3d762ae0b513e199dcf19a5 (v2.11.9)