CVE-2016-3709

Name	CVE-2016-3709
Description	Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3878-1, ELA-1176-1, ELA-656-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libxml2 (PTS)	jessie, jessie (lts)	2.9.1+dfsg1-5+deb8u17	fixed
	stretch (security)	2.9.4+dfsg1-2.2+deb9u7	vulnerable
	stretch (lts), stretch	2.9.4+dfsg1-2.2+deb9u11	fixed
	buster, buster (lts)	2.9.4+dfsg1-7+deb10u9	fixed
	buster (security)	2.9.4+dfsg1-7+deb10u6	vulnerable
	bullseye	2.9.10+dfsg-6.7+deb11u4	vulnerable
	bullseye (security)	2.9.10+dfsg-6.7+deb11u5	fixed
	bookworm	2.9.14+dfsg-1.3~deb12u1	fixed
	sid, trixie	2.12.7+dfsg+really2.9.14-0.2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
libxml2	source	jessie	2.9.1+dfsg1-5+deb8u16	ELA-1176-1
libxml2	source	stretch	2.9.4+dfsg1-2.2+deb9u11	ELA-1176-1
libxml2	source	buster	2.9.4+dfsg1-7+deb10u7	ELA-1176-1
libxml2	source	bullseye	2.9.10+dfsg-6.7+deb11u5	DLA-3878-1
libxml2	source	(unstable)	2.9.12+dfsg-3

Notes

[buster] - libxml2 <no-dsa> (Minor issue)
https://mail.gnome.org/archives/xml/2018-January/msg00010.html
https://bugzilla.gnome.org/show_bug.cgi?id=769760
Introduced by: https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588 (v2.9.2-rc1)c
Fixed by: https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f (v2.9.11)
[jessie] - libxml2 <not-affected> (vulnerable code introduced later)