-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2026 19:02:23 +0200 Source: libxml2 Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym Architecture: amd64 Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u3 Distribution: trixie Urgency: high Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) Changed-By: Guilhem Moulin Description: libxml2 - GNOME XML library libxml2-dev - GNOME XML library - development files libxml2-utils - GNOME XML library - utilities python3-libxml2 - GNOME XML library - Python3 bindings Closes: 1125691 1125695 1125696 Changes: libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u3) trixie; urgency=high . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. * Add d/salsa-ci.yml for Salsa CI. Checksums-Sha1: 40fd6b555f69949ef663ce4d47aa0c6cb31a5e6c 1897640 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb cb78895d351a518eb44a699eedfb91e6108f055e 794724 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb 92cd9c4d331e06a2b745238b8764d30017a5fb60 77736 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb 2536948ef8b2136044eae175e8d65dde356580d3 101244 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb ad1bdcda11ac366b056ec30f90a07980cf93809d 9352 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64-buildd.buildinfo 1004cd76d8bbb2b8603eaf4ac38670d6b1b79928 699724 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb 668a4b601db9c95d6da7970847ab2ec4f077952c 232096 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb fc6690bc33d5ba3b363a55b3f7d7fedad2cee30d 190012 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb Checksums-Sha256: 760500a3d695d703b30817f43adc0f0f6657aec9bedb71ea9f26a4091fa3aaa6 1897640 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb 2d1a5825cabb43cf4be6848a4acc4a73c50d9c3740ab0c76e2fed80a3e5c6398 794724 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb ba07ec2f947a8b01f93524c65c50b84f9bce53326199110053d805d31d2e17ed 77736 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb cfa40541f9b314491c53b6c63e23ee1a2afa2ac309e6ca379c1081ef2b62e773 101244 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb 18b5c6f012c1b01f58bac228681b01c5da79cb25f51ce6d3f88c54887072a3b8 9352 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64-buildd.buildinfo e0c6b63ce4602a036a526f60fe5e6c1586710688058d98fc1001b9b3147b7efd 699724 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb b1b77f660726cff1302689b6bd1fd2b99dff6d8086514c958df042c52a6ede8f 232096 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb 4d6dad24afa250d24b9f6cdc29fbb714a0c46442f9924a7edb04ec51f46fc7f3 190012 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb Files: e60f8261333384f63840decf1f1333e3 1897640 debug optional libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb 2b320a38b9295e9df8541ababf09c1f3 794724 libdevel optional libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb 658c46958760bb54a869856c84cc239b 77736 debug optional libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb cde6a785e7e57253d9e40e025992b1ae 101244 text optional libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb 91cadc53c8ea3226248814fd7c123b9d 9352 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64-buildd.buildinfo 381b30ad5e8669318c82153f776a0e40 699724 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb b1cc4d6b6fb8f5812b6356af60de7c03 232096 debug optional python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb 69c0469e88bfb902940d766177bcf62e 190012 python optional python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEmtr4KUMaso2EQ6NrTwt/65ON6zcFAmooZjIACgkQTwt/65ON 6zfI8Q/8DKWd17NntcmM8uKQ3g3mhnEg017HZk+rF9I2/QA+zmrQtGB70jzF6/B0 0CvsPRajkVR2ZKpOALITKQinL+k9vSbyIVM3yVOWtT7AGYThfmTurdckThRU1kvL 3KilXRI2Cs+HTNixwkBwO2ayREwIa3Wkv2SN0mSZfPtNwvF7NXU1JTE+3l7XOqyS 8Ddsa5+q+gtqYRgfNnrnxmzuKaW/nxBE9B3U3ky9MTrdB5/0wm4ctu9EIjwu7eOy UCdEXlnc4e1jqyI2q/T4lbcGAkg78JTIaLIqTT6uJPCSH5L0PdycKW9zskx3FduN 4p0Iv5DPtZucJnlCRiIVs6Yo51ED/cALnykwHRr0fuhdUk0v3CXAqJ6OixJJJ8es rWIkfrZiSOQ8vI1NMTdcoHVkZhyELYScJQuL5dKH6C+VAaTVVLnpL9APQjXfBVIW jO/lqhFd6QI+7D7mxG+iKR7nI9PyT/DL8KxP+P2/X6zzVEHigao8innwBJMEmeFD T0f8GNCQ4orFRClKMVBuhP4L5niSs1G4VZPIMZ9vlLsClX8O3JVW8BacRfn9sHu7 oYzVWgWNxErmb2PXnuLclQObHlhd9GRLxf3g8mN5h6+NY/b4gIzsh9nXKp9wTQ6L 5avHUi13l6nSm4PfEe6WCVEA1pFxEcJtPlQoFMxz5Mi922KMFyY= =T9z4 -----END PGP SIGNATURE-----