Just finished my writeup about CVE-2025-23369, an interesting SAML authentication bypass on GitHub Enterprise Server I reported last year. you can read about it here:

I just made libxml2 memory safe in less than 10 minutes using Fil-C. Passes the test suite. Even the python bindings seem to work

5 CVEs in libxml2 CVE-2025-49794: Heap UAF DoS.CVE-2025-49795: Null pointer dereference DoS.CVE-2025-49796: Type confusion DoS.CVE-2025-6021: Integer and Buffer Overflow in xmlBuildQName().CVE-2025-6170: Stack-based Buffer Overflow in xmllint Shell.

🌐 Celebrating 25 years of Libxml2! 🎉 A testament to open-source success, yet challenges persist. 📉 While it powers so many sectors, support for its sustainability is lacking. #OpenSource #Libxml2 #CommunityMatters

in lxml <= 5.3.2 with libxml2 2.12.x, XXE using parameter entities was possible due to libxml2 behavior - allowing indirect overrides of local DTDs. this worked even without resolve_entities, since libxml2 expanded parameter entities anyway :). it didn’t really make noise since.

RE: -- libxml2 maintainer will no longer embargo security bugs, and they will be fixed whenever maintainers find time, not ASAP. Good for him! Maybe Apple/Google/et al should adopt or rewrite the project, not rely on unpaid volunteers. Toxic culture.

CVE Binary Tool quick start / README. The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can

Reviving old iphones for test purposes. Here's some cross-compiled debs (confirmed works on iOS6). python3.11.9.libxml2.libxslt.openssl3.

The solo maintainer for libxml2 is no longer accepting embargoed vulnerability reports, citing the unsustainable burden as an unpaid volunteer. Security issues will be treated like any other bug report moving forward. 📄 #cybersecurity #opensource.

⭐️PS5 pacbrew 0.19 released by John Törnblom. 🔹new packages: libzip, libxml2, libsmb2, libnfs, libssh2, libpsl, mesa (swrast/osmesa), glu, glew.🔹zstd: use cmake when building. 📥

this is what you call a “dudes rock moment”

honggfuzz alive and kicking. stack based buffer overflow in libxml2 -

I see threads about libxml2 and libxslt today, so it seems like a good opportunity to talk about sustainability in Free Software again. I'll start with a story that I often repeat to my coworkers when we talk about responsibility silos.

CVE-2024-40896 (CVSS 9.1): Critical XXE Vulnerability Discovered in libxml2

#slackware security advisory for libxml2 (SSA:2025-196-01)

#FreeBSD.libxml2のsonameが更新.→xsltproc(libxslt)が動作しなくなる.→sambaのビルドでmanページが生成されなくなる.→pkg-plistとの不整合でpkg処理に失敗して未インストール状態になる.→pam_winbind.soが消滅するのでrootですらシングルユーザーモードでないとログインできなくなる ←イマココ.

Four flaws in libxml2 (CVE-2025-6021, CVE-2025-49794, CVE-2025-49795, CVE-2025-49796) expose systems to memory corruption, RCE, and DoS attacks. #libxml2 #XMLSecurity #Cybersecurity #Vulnerability #MemoryCorruption.

libxml2で型の取り違えの脆弱性。公式は脆弱性にあたらずとしているがCVE-2025-49796が採番された。未修正。Red Hatは信頼されないXML文書を処理しないことを緩和策としている。

CVE-2025-6021 A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can resu…

Triaging security issues reported by third parties (#913) · Issues · GNOME / libxml2 · GitLab