-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 Jun 2026 17:53:53 +0200
Source: libxml2
Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym
Architecture: amd64
Version: 2.9.14+dfsg-1.3~deb12u6
Distribution: bookworm
Urgency: high
Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) <buildd_amd64-x86-ubc-01@buildd.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 libxml2    - GNOME XML library
 libxml2-dev - GNOME XML library - development files
 libxml2-utils - GNOME XML library - utilities
 python3-libxml2 - GNOME XML library - Python3 bindings
Closes: 1125691 1125695 1125696
Changes:
 libxml2 (2.9.14+dfsg-1.3~deb12u6) bookworm; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause
     excessive recursion during parsing, which may lead to stack exhaustion and
     application crashes. The parser now enforces a limit on inclusion depth
     when resolving nested `<include>` directives; the limit defaults to 1000
     and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`.
     (Closes: #1125691)
   * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if
     a catalog has a URI delegate referencing itself, eventually resulting in a
     call stack overflow. (Closes: #1125695)
   * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled
     resource consumption when processing XML catalogs containing repeated
     `<nextCatalog>` elements pointing to the same downstream catalog.
     (Closes: #1125696)
   * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive
     pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()`
     recursively call each other without bounds until stack overflow.
   * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the
     xmllint interactive shell.
   * Fix unit tests for CVE-2025-49794 and -49796.
   * Backport some more upstream changes from v2.15.2:
     + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`.
     + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`.
     + Fix memory leak in `xmlTextWriterStartAttributeNS()`.
     + Schematron: Fix additional memory leaks on error paths.
     + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries.
Checksums-Sha1:
 8f85243b4106090f6124366cbd55652bc592609c 1868224 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 f679f3f3f84d2256600ff568729f49a1925ac578 785360 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 4e012a6848a8d9aa30fdb62cb5a73ec670625c48 77252 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 9de077410d2b4a0e8b9e4c57376b106ff04c6a97 100232 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 480cdfe01c4e64421f15d1e5432a1c1aed91ec07 9213 libxml2_2.9.14+dfsg-1.3~deb12u6_amd64-buildd.buildinfo
 6a16bb0c777264fdbaef83273f581dc658af18ba 688760 libxml2_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 914a2fece0d8e3e28c804c3849369aac052c8e06 220628 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 251bf45acfd18145875695ac0815906de7d9f5eb 188348 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_amd64.deb
Checksums-Sha256:
 f2e4b7ba027c318b01c25050c5665037155186602eef2169e134dc2d4cbb85e5 1868224 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 e8ceacf656b1720e7a310e1d159439a356bfcb9f5fb0325907f26aa8590e5f70 785360 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 65a44ffef43205e19ef8a69d038939c2743fed26bffed190d8896c12c911e548 77252 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 84a26b289dd6075b8334f252bc445023dc64102e557645284fdbc1bebed21a1a 100232 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 8d920642ba730956c8abcac5586845a3704702d76862c6759489a98b34a75035 9213 libxml2_2.9.14+dfsg-1.3~deb12u6_amd64-buildd.buildinfo
 4460e39dda10a815881374217cde08474747cfa018358cd8612c14b390eff53b 688760 libxml2_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 5eeb5f027ca900f47298219daa1bf83fb997e46d73b92272ef51c2bfcaecc65f 220628 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 3fa6f87494d15b5053b74d0aa99b121d403a8cb9dba922e6dacca6bb75c1fa3e 188348 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_amd64.deb
Files:
 46d3f5b23381e0b650204bbe9e745a4c 1868224 debug optional libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 474ac3cc52b01cf256e124b39cecb4d5 785360 libdevel optional libxml2-dev_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 e67fc2164bd9735b5fc10480de63f3a5 77252 debug optional libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 744e40b72aee0c3e487e48567ce13de0 100232 text optional libxml2-utils_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 3ca2d73be5cb0b6f46f80f26c97d42f9 9213 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_amd64-buildd.buildinfo
 e0fc4937b830f48f3959d116df942d99 688760 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 891a83cf352a64b8c4a32ac04dc28122 220628 debug optional python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_amd64.deb
 e5ef3732f1aa6d23235fca77df43af14 188348 python optional python3-libxml2_2.9.14+dfsg-1.3~deb12u6_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmtr4KUMaso2EQ6NrTwt/65ON6zcFAmooaaMACgkQTwt/65ON
6zc/Lw//Uv9ImzinCxjO1a6M5hryrKahkDIZjgiK/JSBVN9dfjdJH0J6qD5VTkT8
sFqMcZB6lKSb39S6BLmrtoz0euhUzihop4ozZxJ13IrgVnjp6E9WVK98n+nWHm5f
KSekdA/n+AzTF/LYA84Gcqdm6zP8RZ0n9d36nsd5cJWTCzZF+BuXftjpgQBTRhBV
fYqTFX2Oy7t0zyi+XxJYjYm+Wp6LwK6GmCoBv2UDYY3N+uZXjfcJhk8r/H3iZgbl
8BRI/8zLXHQd20FYCSHpCFgF4wfX6MbFsE0MecJCMhkwTQDF4xGP/UXHRuv3Oz2v
1GX8mNfmjUPfMTNODp+XK00V53hLreywzuUXbUpzZvHZu8FnhuwxIOJUj4viVgiN
J7zyKoLpHFejnvUFXpplX1mlybqCLMwP42Xrarzd5T8jBdZVeheyCasdO+Y9Zmc1
lj7tBvMTJQ28I7Nh53SH+JgRH82SHNd/R7ksQ32sUCS+gZph6a0YYuopVsgT6A9o
VBBb/YZ4Q7XIH6FQ4VWjw5F6CxfyTOWsF9IgyFNlb3uOU4A+EtBakL1jrUNwnX9U
DQ+aHEKCVXAkTGWCX1dxWvUZLZoHTJH1ogVmKVfqFaxoDDdj1DWiL4v35/6vbekg
o9iLT18ExP+MxJ3s6RTbg5QJuiLSH4lzmaegY5ZZOHDGzmBaNS4=
=R9+M
-----END PGP SIGNATURE-----