CVE-2016-3709

NameCVE-2016-3709
DescriptionPossible cross-site scripting vulnerability in libxml after commit 960f0e2.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesELA-656-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libxml2 (PTS)jessie, jessie (lts)2.9.1+dfsg1-5+deb8u15fixed
stretch (security)2.9.4+dfsg1-2.2+deb9u7vulnerable
stretch (lts), stretch2.9.4+dfsg1-2.2+deb9u10fixed
buster2.9.4+dfsg1-7+deb10u4vulnerable
buster (security)2.9.4+dfsg1-7+deb10u6vulnerable
bullseye (security), bullseye2.9.10+dfsg-6.7+deb11u4vulnerable
bookworm2.9.14+dfsg-1.3~deb12u1fixed
sid, trixie2.9.14+dfsg-1.3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libxml2sourcejessie(not affected)
libxml2sourcestretch2.9.4+dfsg1-2.2+deb9u8ELA-656-1
libxml2source(unstable)2.9.12+dfsg-3

Notes

[bullseye] - libxml2 <no-dsa> (Minor issue)
[buster] - libxml2 <no-dsa> (Minor issue)
https://mail.gnome.org/archives/xml/2018-January/msg00010.html
https://bugzilla.gnome.org/show_bug.cgi?id=769760
Introduced by: https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588 (v2.9.2-rc1)c
Fixed by: https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f (v2.9.11)
[jessie] - libxml2 <not-affected> (vulnerable code introduced later)

Search for package or bug name: Reporting problems