[PA-4770] Update libxml2 to 2.10.3 - Puppet Jira Server

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: puppet-agent 7.21.0
Component/s: Security
Labels:
- docs_reviewed
- security

Team:
Phoenix
Story Points:
2
Sprint:
Phoenix 2022-11-09, Phoenix 2022-11-23, Phoenix 2022-12-07
Method Found:
Needs Assessment

Release Notes:
Security Fix
Release Notes Summary:

Hide
Updates puppet-agent's vendored libxml2 from 2.9.8 to 2.10.3, which addresses CVE-2021-4541, CVE-2022-23308, CVE-2022-29824, CVE-2022-40303, and CVE-2022-40304.

Also updates puppet-agent's vendored libxslt from 1.1.33 to 1.1.37, which addresses CVE-2021-30560.

Show
Updates puppet-agent's vendored libxml2 from 2.9.8 to 2.10.3, which addresses CVE-2021-4541, CVE-2022-23308, CVE-2022-29824, CVE-2022-40303, and CVE-2022-40304. Also updates puppet-agent's vendored libxslt from 1.1.33 to 1.1.37, which addresses CVE-2021-30560.

QA Risk Assessment:
Needs Assessment

Description

While working on ~~PA-4767~~ which addresses an issue with libxml2 in Nokogiri, I discovered that we have not updated the libxml2 component used in puppet-agent, Bolt, and PDK runtimes since 2018. We currently ship libxml2 2.9.8.

We manually patch the following CVEs:

CVE-2018-9251
CVE-2018-14404
CVE-2018-14567

But I believe the version we ship is still vulnerable to the following CVEs:

CVE-2021-4541 (CVSS 6.5 medium)
CVE-2022-23308 (CVSS 7.5 high)
CVE-2022-29824 (CVSS 6.5 medium)
CVE-2022-40303
CVE-2022-40304 (this and previous CVE not graded by NIST yet)

We'll need to update to libxml2 2.10.3 to address these vulnerabilities.

Attachments

Activity

People

Assignee:: Michael Hashizume

Reporter:: Michael Hashizume

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2022/10/26 1:21 PM

Updated:: 2022/12/07 1:37 PM

Resolved:: 2022/11/30 4:07 PM