Prepare stable update of libxml2

Hi @tobi,

Some libxml2 CVEs have been fixed in buster (and older) but remain non-fixed in bullseye and more recent releases. Those CVEs have been marked by the security team as no-dsa, so they have no immediate plans to deal with them. Could you please coordinate with the maintainer and SRM to have an updated package included in the next point release (for CVEs affecting bookworm) and prepare a supplementary DLA (for CVEs affecting bullseye). Additionally, please keep the security team informed concerning this matter by mailing team@security.debian.org with a brief summary once a course of action has been agreed upon between yourself, the maintainer, and SRM (as applicable).

• Package: libxml2

• ELA: https://www.freexian.com/lts/extended/updates/ela-1227-1-libxml2/

• Version in ELA: libxml2/buster 2.9.4+dfsg1-7+deb10u9

• CVE(s):

  • https://security-tracker.debian.org/tracker/CVE-2023-39615
  • https://security-tracker.debian.org/tracker/CVE-2023-45322
  • https://security-tracker.debian.org/tracker/CVE-2024-25062

• Fixed in: buster (and older)

• Still present in: bullseye, bookworm and trixie (currently in testing)

Note that this package has been listed in dla-needed.txt, so make sure to claim it there as well when working on this issue.

TIA!