Skip to content

build/deps: upgrade libxml2 to v2.15.3 (CVE-2026-6732)#30392

Merged
tyson-redpanda merged 4 commits into
devfrom
snyk/cve-2026-6732-libxml2-2.15.3
May 12, 2026
Merged

build/deps: upgrade libxml2 to v2.15.3 (CVE-2026-6732)#30392
tyson-redpanda merged 4 commits into
devfrom
snyk/cve-2026-6732-libxml2-2.15.3

Conversation

@tyson-redpanda
Copy link
Copy Markdown
Contributor

@tyson-redpanda tyson-redpanda commented May 6, 2026
edited
Loading

Upgrades libxml2 from 2.15.2 to 2.15.3 to fix CVE-2026-6732 (type confusion vulnerability in XSD validation with internal entity references, CVSS 7.1 High). This branch uses libxml2 via the Bazel Central Registry which was published in bazelbuild/bazel-central-registry#8777. Backports to v26.1.x and v25.3.x are handled separately via vtools/S3.

Backports Required

  • none - not a bug fix
  • none - this is a backport
  • none - issue does not exist in previous branches
  • none - papercut/not impactful enough to backport
  • v26.1.x
  • v25.3.x
  • v25.2.x

Release Notes

Bug Fixes

  • Upgraded libxml2 to v2.15.3 to fix CVE-2026-6732 type confusion vulnerability in XSD validation.

FIXES=CORE-16201

@tyson-redpanda
build/deps: upgrade libxml2 to v2.15.3 (CVE-2026-6732)
e218d26 
Fixes type confusion vulnerability in XSD validation with internal
entity references. Upgrades from 2.15.2 to 2.15.3.
This was referenced May 6, 2026
Merged
Merged
@tyson-redpanda tyson-redpanda marked this pull request as ready for review May 7, 2026 12:44
@tyson-redpanda tyson-redpanda enabled auto-merge May 12, 2026 13:15
@tyson-redpanda tyson-redpanda requested a review from dotnwat May 12, 2026 14:33
@vbotbuildovich
Copy link
Copy Markdown
Collaborator

vbotbuildovich commented May 12, 2026

CI test results

test results on build#84327
test_status test_class test_method test_arguments test_kind job_url passed reason test_history
FLAKY(PASS) ShadowLinkBasicTests test_link_creation_checks {"source_cluster_spec": {"cluster_type": "kafka", "kafka_quorum": "COMBINED_KRAFT", "kafka_version": "3.8.0"}} integration https://buildkite.com/redpanda/redpanda/builds/84327#019e1ca5-685a-4e0d-ba7a-7ea985da27ac 10/11 Test PASSES after retries.No significant increase in flaky rate(baseline=0.0198, p0=1.0000, reject_threshold=0.0100. adj_baseline=0.1000, p1=0.3487, trust_threshold=0.5000) https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=ShadowLinkBasicTests&test_method=test_link_creation_checks
FLAKY(PASS) ShadowLinkBasicTests test_link_creation_checks {"source_cluster_spec": {"cluster_type": "kafka", "kafka_quorum": "COMBINED_KRAFT", "kafka_version": "3.8.0"}} integration https://buildkite.com/redpanda/redpanda/builds/84327#019e1ca6-9fbc-4392-a913-f989e213d8cc 10/11 Test PASSES after retries.No significant increase in flaky rate(baseline=0.0198, p0=1.0000, reject_threshold=0.0100. adj_baseline=0.1000, p1=0.3487, trust_threshold=0.5000) https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=ShadowLinkBasicTests&test_method=test_link_creation_checks
FLAKY(PASS) WriteCachingFailureInjectionE2ETest test_crash_all {"use_transactions": false} integration https://buildkite.com/redpanda/redpanda/builds/84327#019e1ca5-6857-4d8f-9f14-a062dcae7813 9/11 Test PASSES after retries.No significant increase in flaky rate(baseline=0.0978, p0=0.6427, reject_threshold=0.0100. adj_baseline=0.2656, p1=0.2106, trust_threshold=0.5000) https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=WriteCachingFailureInjectionE2ETest&test_method=test_crash_all

@tyson-redpanda tyson-redpanda merged commit 250e9d8 into dev May 12, 2026
18 checks passed
@tyson-redpanda tyson-redpanda deleted the snyk/cve-2026-6732-libxml2-2.15.3 branch May 12, 2026 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dotnwat dotnwat dotnwat approved these changes

Assignees

No one assigned

Labels

area/build

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tyson-redpanda @vbotbuildovich @dotnwat