-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2026 19:02:23 +0200 Source: libxml2 Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym Architecture: armhf Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u3 Distribution: trixie Urgency: high Maintainer: armhf Build Daemon (arm-conova-01) Changed-By: Guilhem Moulin Description: libxml2 - GNOME XML library libxml2-dev - GNOME XML library - development files libxml2-utils - GNOME XML library - utilities python3-libxml2 - GNOME XML library - Python3 bindings Closes: 1125691 1125695 1125696 Changes: libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u3) trixie; urgency=high . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. * Add d/salsa-ci.yml for Salsa CI. Checksums-Sha1: 401fdc61c41e2d356ab9d27daba11e254e050111 1913780 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb 53a7c83dd2cc257fc111b68249cc60acdf8ed9a7 724876 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb 0ed4bb95fc84d0a4376732c622d2d56982093948 77384 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb 44c04b8a3b7a0571420dcd5138ac0805aa9db261 100360 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb fdaa7b0960bca37aa9e502ec4595f9cf3f9437f0 9218 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf-buildd.buildinfo 978914ac2b6efd61b8ab21123726ddb83532c8a0 606616 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb 934a8dd4a9c87710a511a13f0092d832feb4510a 254524 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb 2838c82e1d7cade67afdf6ef8892d6d2e99e17a2 180336 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb Checksums-Sha256: 12066a8ea41ca8ad26349ebd188dbff07823bff575b29c64f0d498c7a5f2b4fc 1913780 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb b3eb122334550d5c09cb75522455f8cd3b9f125f6c9cebb47995e3c8bc1ee8ed 724876 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb f799f806a4a7769d9790414fcd8383a750606c40a6961f4236daf967161893dc 77384 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb 4e53846af263b338b75243db7fab2b32b86bb1c4fc519b5b5c26bb6dce5d483b 100360 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb 74f2837e08e823c52c3ebb6ca25358bfbcb2ce74b44a0a29a421887666e6efc1 9218 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf-buildd.buildinfo 8da45a233e98f3b2332b04c85d89fe8ad0538d597b5bc66845666fc2727876b4 606616 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb 9340daf1112ff8e743beecbe51e706bf9a3f448421a8685ed3feca52bacbd70e 254524 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb 977c348bfdc68c28a008621881619d9db553fb637841aa6f5a46fff714135aed 180336 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb Files: d93a0adc47980800e7165d9b3e6264cb 1913780 debug optional libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb af8210d420db74e197d1140027ed7b3d 724876 libdevel optional libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb e236a1e93363216755c8e060e21d8e93 77384 debug optional libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb baa538290a5a5bc35f881682070fedd5 100360 text optional libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb 69e52abb7c8bbeaa4db80471f4f610f1 9218 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf-buildd.buildinfo 36b090de8d397d56e9b568cfad31b7ce 606616 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb a33e6e42ef577280e9167d09fb4da222 254524 debug optional python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb f9210de08d49d89f600fdb49bc3b6152 180336 python optional python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armhf.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO4qAQUSIo2p/kVRf8U6eOZMpj68FAmooYukACgkQ8U6eOZMp j698cw/8DzVVy8m6HFmbHYTr4Aw9L85QDD9yD1Pxl2b3IQ0sErDH15BbJV3r7XZE ZS+5+dljXfXFkWx678Jjbvha/LcynwQSQwK2yU1mQZjRaMPiDPma/mHFceq9ogQU iLogYOxU2BQeoodlDxJr/vAoSXDBdiIxiL5/xo2df6Fqsy7OYF4/HB6llGnJfin3 6vJLQcc0GP0XQjYm9YOGHIaxPwzzMiOFZBNaQpDmvpP05hvZ1xeH9DL+GSMtEyit 1COXpWl27b3zvPMyeX22T2Kzx9e7e41dl3KnF9dN8NsdCHhO60bQ03/7EQda8qra 1AnNZuC0uP/tlycLtUu9jAWkC95H/L5zN6TL+amhIu19NC6wJac9qE4H1rhIJk8H wRZIQlKWjZ4gWWQrd321PKQp/IZsVi/sp0ShkqGTkI09R9V/r2kdAvf1Y4JE9DDI KROVYItMiw4AArEa4Oq+ztYLCRnqcnFmUWKXNMosh6JXj3JKa/mMFHaVf9qjE/UE 7X/1H8xgvNwYa1ABvWMYYDhMDPqmqoRFGWmG+10wnGaAzdpxCe70Jo4iFDwyxi95 3wPw4gDsLj7km4Ej7G98Boghy4EbJW5H5rfeUXOOD1uTtHZr3MgL16sMpGSmfrRW 7crt1gJ6yoZ6ssFQA4W5R7FyKiF/b7ypuA00tZ8+RVER30RgwLs= =7QcU -----END PGP SIGNATURE-----