{ "document": { "aggregate_severity": { "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "Fix CVE-2017-7375: add validation for parsed entity references in xmlParsePEReference\n- Fix CVE-2017-7376: fix buffer overflow in URL port handling\n- Fix CVE-2024-25062: use-after-free in xmlreader with DTD validation and XInclude", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776964888", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776964888" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/amazonlinux2els/advisories/2026/clsa-2026_1776964888.json" } ], "tracking": { "current_release_date": "2026-04-23T17:22:17Z", "generator": { "date": "2026-04-23T17:22:17Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1776964888", "initial_release_date": "2026-04-23T17:22:17Z", "revision_history": [ { "date": "2026-04-23T17:22:17Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "libxml2: Fix of 3 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Amazon Linux 2", "product": { "name": "Amazon Linux 2", "product_id": "Amazon-Linux-2", "product_identification_helper": { "cpe": "cpe:2.3:o:amazon:amazon_linux:2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Amazon Linux" } ], "category": "vendor", "name": "Amazon Web Services, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "product": { "name": "libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "product_id": "libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libxml2@2.9.1-6.amzn2.5.24.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "product": { "name": "libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "product_id": "libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libxml2-python@2.9.1-6.amzn2.5.24.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "product": { "name": "libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "product_id": "libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libxml2-static@2.9.1-6.amzn2.5.24.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "product": { "name": "libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "product_id": "libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libxml2-devel@2.9.1-6.amzn2.5.24.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64" }, "product_reference": "libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64" }, "product_reference": "libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64" }, "product_reference": "libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64" }, "product_reference": "libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-7375", "cwe": { "id": "CWE-611", "name": "Improper Restriction of XML External Entity Reference" }, "notes": [ { "category": "description", "text": "A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Amazon-Linux-2:libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2017-7375" }, { "category": "external", "summary": "http://www.securityfocus.com/bid/98877", "url": "http://www.securityfocus.com/bid/98877" }, { "category": "external", "summary": "http://www.securitytracker.com/id/1038623", "url": "http://www.securitytracker.com/id/1038623" }, { "category": "external", "summary": "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa", "url": "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=1462203", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462203" }, { "category": "external", "summary": "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e", "url": "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/201711-01", "url": "https://security.gentoo.org/glsa/201711-01" }, { "category": "external", "summary": "https://source.android.com/security/bulletin/2017-06-01", "url": "https://source.android.com/security/bulletin/2017-06-01" }, { "category": "external", "summary": "https://www.debian.org/security/2017/dsa-3952", "url": "https://www.debian.org/security/2017/dsa-3952" } ], "release_date": "2018-02-19T19:29:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-23T17:21:31.217586Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776964888", "product_ids": [ "Amazon-Linux-2:libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776964888" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "Amazon-Linux-2:libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] }, { "cve": "CVE-2017-7376", "cwe": { "id": "CWE-119", "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer" }, "notes": [ { "category": "description", "text": "Buffer overflow in libxml2 allows remote attackers to execute arbitrary code by leveraging an incorrect limit for port values when handling redirects.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Amazon-Linux-2:libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2017-7376" }, { "category": "external", "summary": "http://www.securityfocus.com/bid/98877", "url": "http://www.securityfocus.com/bid/98877" }, { "category": "external", "summary": "http://www.securitytracker.com/id/1038623", "url": "http://www.securitytracker.com/id/1038623" }, { "category": "external", "summary": "https://android.googlesource.com/platform/external/libxml2/+/51e0cb2e5ec18eaf6fb331bc573ff27b743898f4", "url": "https://android.googlesource.com/platform/external/libxml2/+/51e0cb2e5ec18eaf6fb331bc573ff27b743898f4" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=1462216", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462216" }, { "category": "external", "summary": "https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e", "url": "https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e" }, { "category": "external", "summary": "https://source.android.com/security/bulletin/2017-06-01", "url": "https://source.android.com/security/bulletin/2017-06-01" }, { "category": "external", "summary": "https://www.debian.org/security/2017/dsa-3952", "url": "https://www.debian.org/security/2017/dsa-3952" } ], "release_date": "2018-02-19T19:29:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-23T17:21:31.217586Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776964888", "product_ids": [ "Amazon-Linux-2:libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776964888" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "Amazon-Linux-2:libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] }, { "cve": "CVE-2024-25062", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "description", "text": "An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Amazon-Linux-2:libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-25062" }, { "category": "external", "summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/604", "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/604" }, { "category": "external", "summary": "https://gitlab.gnome.org/GNOME/libxml2/-/tags", "url": "https://gitlab.gnome.org/GNOME/libxml2/-/tags" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20241018-0009/", "url": "https://security.netapp.com/advisory/ntap-20241018-0009/" } ], "release_date": "2024-02-04T16:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-23T17:21:31.217586Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776964888", "product_ids": [ "Amazon-Linux-2:libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776964888" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Amazon-Linux-2:libxml2-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-devel-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-python-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64", "Amazon-Linux-2:libxml2-static-0:2.9.1-6.amzn2.5.24.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }