Amazon Linux 2 Security Advisory: ALAS2-2025-2860
Advisory Released Date: 2025-05-29
Advisory Updated Date: 2025-05-29
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters. (CVE-2025-32414)
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. (CVE-2025-32415)
Affected Packages:
libxml2
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update libxml2 to update your system.
aarch64:
libxml2-2.9.1-6.amzn2.5.17.aarch64
libxml2-devel-2.9.1-6.amzn2.5.17.aarch64
libxml2-static-2.9.1-6.amzn2.5.17.aarch64
libxml2-python-2.9.1-6.amzn2.5.17.aarch64
libxml2-debuginfo-2.9.1-6.amzn2.5.17.aarch64
i686:
libxml2-2.9.1-6.amzn2.5.17.i686
libxml2-devel-2.9.1-6.amzn2.5.17.i686
libxml2-static-2.9.1-6.amzn2.5.17.i686
libxml2-python-2.9.1-6.amzn2.5.17.i686
libxml2-debuginfo-2.9.1-6.amzn2.5.17.i686
src:
libxml2-2.9.1-6.amzn2.5.17.src
x86_64:
libxml2-2.9.1-6.amzn2.5.17.x86_64
libxml2-devel-2.9.1-6.amzn2.5.17.x86_64
libxml2-static-2.9.1-6.amzn2.5.17.x86_64
libxml2-python-2.9.1-6.amzn2.5.17.x86_64
libxml2-debuginfo-2.9.1-6.amzn2.5.17.x86_64