-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2026 17:53:53 +0200 Source: libxml2 Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym Architecture: mips64el Version: 2.9.14+dfsg-1.3~deb12u6 Distribution: bookworm Urgency: high Maintainer: mipsel Build Daemon (mipsel-osuosl-03) Changed-By: Guilhem Moulin Description: libxml2 - GNOME XML library libxml2-dev - GNOME XML library - development files libxml2-utils - GNOME XML library - utilities python3-libxml2 - GNOME XML library - Python3 bindings Closes: 1125691 1125695 1125696 Changes: libxml2 (2.9.14+dfsg-1.3~deb12u6) bookworm; urgency=high . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. Checksums-Sha1: 2d28958eea37c109ea56a42558994c8089ff73a4 1991164 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb 2a4e682aa29b7a2cd63518e664d2e33312c2ddc2 811172 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_mips64el.deb 64956b82103cefb498b861044039e7506cc60eec 81160 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb 232ba7ee8ad880db5fad22d7cb25802d19ed6551 97632 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_mips64el.deb dc474f84a8db7b467ca3207433d501a4fab1cc61 9059 libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el-buildd.buildinfo 1e78e2712e62dab03bc1e207b3e667fb729b8e18 603164 libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el.deb fb74075ab36bd204b7ea80a16c4c80065b7ba27c 260332 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb e79ac323319e78c5e1c2a1eeb815ab234ddb6aec 174696 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el.deb Checksums-Sha256: 956da62b2d73dad55795049d1973ae57cfc8605a2769c7e11289285023aeaf67 1991164 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb 9988811e23f96e814addc48f4276c754ce307e19ec69f3c2618ce2c0af74c8e3 811172 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_mips64el.deb b00e9b071ac6e8387c8370149b9b7e1bfcc1a789c4f859ba8cd95a23646cb7f4 81160 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb 17c817d57c7640c36bb748b985643af4b080b27027c42eedcc3528e103a15c32 97632 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_mips64el.deb 0066d5998631fd99858f894209578059a45e9e03c7a24d2f87675c01016cc663 9059 libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el-buildd.buildinfo bc13aa78958daa667ffbabde1cc7c8b6d2225a2edc6efe968c9d661302653804 603164 libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el.deb 65e1bec7ee382de265c0a01ba0b0a4bc77594e4bb21d2d365a68b4a616d8d0f7 260332 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb 83641ce3c28a92dfe756fa6cc3517fc99e5671409d808b011ca51a691417123b 174696 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el.deb Files: 4901ca8990d5a3325741aa9289bf7a32 1991164 debug optional libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb 8d65ecb0feb1c8e0e9d8f7e2e936c0c6 811172 libdevel optional libxml2-dev_2.9.14+dfsg-1.3~deb12u6_mips64el.deb 05b34385854040411cc15f8c2c6e0179 81160 debug optional libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb 1eb8efba238430d84ef0cb55dcaca3f6 97632 text optional libxml2-utils_2.9.14+dfsg-1.3~deb12u6_mips64el.deb a0285fdd9844dc485d9dbae2a5be83fd 9059 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el-buildd.buildinfo d737802137c872ebd57d06fa338b4272 603164 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el.deb 146e54698496844a3cb763daa5090062 260332 debug optional python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb b2bafef261577e6572c01e64ed33e084 174696 python optional python3-libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7sd7jtCtE5bBJ1Hx/qmHKZssfSAFAmooah8ACgkQ/qmHKZss fSAXABAA8bdDWlhoGqxmoOb1GXz2W8YgwUbWrUNLPFSaDkrv2MaN8Q1hiNqRyM7u KymJ2ME/Hq5LingUJPQyIxw2lBgj3rLJoCwl1YUneyYf4Hm7lBsnf0qXKFWnlhNF B0/QlfCj4mZ13LfNuQHFmK2z0IOpLamEASQRIe5+KF3tStUZVRBg6Wk/qg0q153w yRhG432hRrj3aAenFy13VjzKsMNO+Z1rIjYiOvpf7mJiA++/mPZGBYq0W8Gl+7ZC 548w1PiF9trhL3h+SFRYC5OQAeY4PaxLzWqLc82l4CLxwqZVE7mJ8pN7j0cktb+q W6H7YMcYUdizS7DXEE4JuBuKA4JoVF9wtzBrCXjYzqkl5jVIrcq+2SJ4uZ5V8Bbz /4AqvPJkeeeZnRohWSMBFw0n8endveJpg4C+rgsb6+ohWBbN/S9DpS9YdJeovXvA 1yUzevvSQSSlzJQAfLbN/bTCQEBXqVd9reuc49g5nMh72o1i75fM1ZGBOms0cA9C OKmdEdw6ELmJqB8gTV0ZZFqRIFPdz9uOEa7pk0HHzTj1vB/xMT+GFoZKuqzAC62L MXuOpqHy5rHDFK0dZegvVCOF4lq3e4YLIq9RD920ty9B6FcAcX0kjwQ9MM4bb9VQ i++hMAytFt22MFjdGxMobpT+5WO4qAot9+sErN6PtF9uP0ZuPqo= =ulPQ -----END PGP SIGNATURE-----