[DLA 4252-1] snapcast security update
[DLA 4251-1] libxml2 security update
[SECURITY] [DLA 4252-1] snapcast security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4252-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
July 27, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : snapcast
Version : 0.23.0+dfsg1-1+deb11u1
CVE ID : CVE-2023-36177
An RCE vulnerability was found in snapcast, a multi-room client-server
audio player.
CVE-2023-36177
Remote attackers can execute arbitrary code and gain sensitive
information via crafted requests in JSON-RPC-API. The fix disallows
the process stream type.
For Debian 11 bullseye, this problem has been fixed in version
0.23.0+dfsg1-1+deb11u1.
We recommend that you upgrade your snapcast packages.
For the detailed security status of snapcast please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/snapcast
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4251-1] libxml2 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4251-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
July 26, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libxml2
Version : 2.9.10+dfsg-6.7+deb11u8
CVE ID : CVE-2024-34459 CVE-2025-6021 CVE-2025-6170 CVE-2025-49794
CVE-2025-49796
Debian Bug : 1071162 1107720 1107755 1107938
Multiple security issues were found in libxml2, the GNOME XML library,
which could yield to denial of service or potentially arbitrary code
execution.
CVE-2024-34459
Zhineng Zhong discovered that formatting error messages with `xmllint
--htmlout` could result in a buffer over-read.
CVE-2025-6021
Ahmed Lekssays discovered an integer overflow issue in
`xmlBuildQName()` which could result in memory corruption or a
denial of service when processing crafted input.
CVE-2025-6170
Ahmed Lekssays discovered a stack-based buffer overflow issue in the
command-parsing logic of the interactive shell in xmllint.
CVE-2025-49794
Nikita Sveshnikov discovered a heap use-after-free issue in the
schematron. When processing XPath expressions in Schematron schema
elements ``, a pointer to freed memory is
returned and then accessed, leading to undefined behavior or
potential crashes.
CVE-2025-49796
Nikita Sveshnikov discovered a type confusion issue in the
schematron. Processing `sch:name` elements and accessing namespace
information may lead to leading to memory corruption or undefined
behavior.
For Debian 11 bullseye, these problems have been fixed in version
2.9.10+dfsg-6.7+deb11u8.
We recommend that you upgrade your libxml2 packages.
For the detailed security status of libxml2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
