Control: found 378411 2.40-1 Control: found 378412 2.40-1 Control: severity 378412 important Control: fixed 378411 2.46-1
Recently those issues got assigned CVEs, CVE-2006-10002 and CVE-2006-10003 and while checking it looks we lost the patches around 2.40-1. #378411, aka CVE-2006-10002 got later fixed in upstream with https://github.com/cpan-authors/XML-Parser/commit/56b0509dfc6b559cd7555ea81ee62e3622069255 in 2.45 and later improved with https://github.com/cpan-authors/XML-Parser/commit/5361c2b7f48599718cdecbe50c5fdd88b28ffd79 but the fix is in 2.45 already. #378412, aka CVE-2006-10003 was only fixed later now in https://github.com/cpan-authors/XML-Parser/commit/08dd37c35ec5e64e26aacb8514437f54708f7fd1 . I intend to "re-queue" fixes for both as well the improvement and the CVE-2006-10003 down to bookworm via point release updates, I do not think a DSA is warranted here. I would like to expose first the fixes via unstable then look at point release updates ideally. There is much ongoing on XML::Parser upstream now and the 2.48 release was followed already by further bugfix rounds 2.49 and 2.51.
