Scott Gress ed8506dd77 Add VEX statements for libxml2 CVEs (#30011) ... This PR adds VEX statement files for three vulverabilities: ``` ┌─────────┬────────────────┬──────────┬──────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libxml2 │ CVE-2025-49794 │ CRITICAL │ affected │ 2.9.14+dfsg-1.3~deb12u1 │ │ libxml: Heap use after free (UAF) leads to Denial of service │ │ │ │ │ │ │ │ (DoS)... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49794 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-49795 │ │ │ │ │ libxml: Null pointer dereference leads to Denial of service │ │ │ │ │ │ │ │ (DoS) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49795 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-49796 │ │ │ │ │ libxml: Type confusion leads to Denial of service (DoS) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49796 │ └─────────┴────────────────┴──────────┴──────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ ``` the vulnerabilities in libxml2 do not affect fleetctl, since the attack vector is DoS and fleetctl is not a server tool. Additionally the libxml2 package isn't used by fleetctl directly, but by the tools it uses for code signing, which don't parse untrusted XML.		2025-06-13 17:00:49 -05:00
..
fleet	Iterate status.md for reporting vulnerability updates (#29062)	2025-05-15 21:15:37 -03:00
fleetctl	Add VEX statements for libxml2 CVEs (#30011)	2025-06-13 17:00:49 -05:00