fleet

Elgato_dark/fleet

Fork 0

mirror of https://github.com/fleetdm/fleet synced 2026-05-02 10:57:25 +00:00

Commit graph

Author	SHA1	Message	Date
Scott Gress	ed8506dd77	Add VEX statements for libxml2 CVEs (#30011 ) This PR adds VEX statement files for three vulverabilities: ``` ┌─────────┬────────────────┬──────────┬──────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libxml2 │ CVE-2025-49794 │ CRITICAL │ affected │ 2.9.14+dfsg-1.3~deb12u1 │ │ libxml: Heap use after free (UAF) leads to Denial of service │ │ │ │ │ │ │ │ (DoS)... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49794 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-49795 │ │ │ │ │ libxml: Null pointer dereference leads to Denial of service │ │ │ │ │ │ │ │ (DoS) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49795 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-49796 │ │ │ │ │ libxml: Type confusion leads to Denial of service (DoS) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49796 │ └─────────┴────────────────┴──────────┴──────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ ``` the vulnerabilities in libxml2 do not affect fleetctl, since the attack vector is DoS and fleetctl is not a server tool. Additionally the libxml2 package isn't used by fleetctl directly, but by the tools it uses for code signing, which don't parse untrusted XML.	2025-06-13 17:00:49 -05:00

Author

SHA1

Message

Date

Scott Gress

ed8506dd77

Add VEX statements for libxml2 CVEs (#30011 )

This PR adds VEX statement files for three vulverabilities:

```
┌─────────┬────────────────┬──────────┬──────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │  Status  │    Installed Version    │ Fixed Version │                            Title                             │
├─────────┼────────────────┼──────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2 │ CVE-2025-49794 │ CRITICAL │ affected │ 2.9.14+dfsg-1.3~deb12u1 │               │ libxml: Heap use after free (UAF) leads to Denial of service │
│         │                │          │          │                         │               │ (DoS)...                                                     │
│         │                │          │          │                         │               │ https://avd.aquasec.com/nvd/cve-2025-49794                   │
│         ├────────────────┤          │          │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-49795 │          │          │                         │               │ libxml: Null pointer dereference leads to Denial of service  │
│         │                │          │          │                         │               │ (DoS)                                                        │
│         │                │          │          │                         │               │ https://avd.aquasec.com/nvd/cve-2025-49795                   │
│         ├────────────────┤          │          │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-49796 │          │          │                         │               │ libxml: Type confusion leads to Denial of service (DoS)      │
│         │                │          │          │                         │               │ https://avd.aquasec.com/nvd/cve-2025-49796                   │
└─────────┴────────────────┴──────────┴──────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
```

the vulnerabilities in libxml2 do not affect fleetctl, since the attack
vector is DoS and fleetctl is not a server tool. Additionally the
libxml2 package isn't used by fleetctl directly, but by the tools it
uses for code signing, which don't parse untrusted XML.

2025-06-13 17:00:49 -05:00

1 commit