Amazon Linux 2023 Security Advisory: ALAS2023-2025-963
Advisory Released Date: 2025-05-13
Advisory Updated Date: 2025-05-13
Severity:
Medium
Issue Overview:
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters. (CVE-2025-32414)
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. (CVE-2025-32415)
Affected Packages:
libxml2
Issue Correction:
Run dnf update libxml2 --releasever 2023.7.20250512 to update your system.
New Packages:
aarch64:
libxml2-debugsource-2.10.4-1.amzn2023.0.10.aarch64
python3-libxml2-debuginfo-2.10.4-1.amzn2023.0.10.aarch64
libxml2-static-2.10.4-1.amzn2023.0.10.aarch64
python3-libxml2-2.10.4-1.amzn2023.0.10.aarch64
libxml2-debuginfo-2.10.4-1.amzn2023.0.10.aarch64
libxml2-devel-2.10.4-1.amzn2023.0.10.aarch64
libxml2-2.10.4-1.amzn2023.0.10.aarch64
src:
libxml2-2.10.4-1.amzn2023.0.10.src
x86_64:
libxml2-debugsource-2.10.4-1.amzn2023.0.10.x86_64
libxml2-debuginfo-2.10.4-1.amzn2023.0.10.x86_64
libxml2-static-2.10.4-1.amzn2023.0.10.x86_64
libxml2-devel-2.10.4-1.amzn2023.0.10.x86_64
python3-libxml2-debuginfo-2.10.4-1.amzn2023.0.10.x86_64
libxml2-2.10.4-1.amzn2023.0.10.x86_64
python3-libxml2-2.10.4-1.amzn2023.0.10.x86_64