-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2026 19:02:23 +0200 Source: libxml2 Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym Architecture: i386 Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u3 Distribution: trixie Urgency: high Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) Changed-By: Guilhem Moulin Description: libxml2 - GNOME XML library libxml2-dev - GNOME XML library - development files libxml2-utils - GNOME XML library - utilities python3-libxml2 - GNOME XML library - Python3 bindings Closes: 1125691 1125695 1125696 Changes: libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u3) trixie; urgency=high . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. * Add d/salsa-ci.yml for Salsa CI. Checksums-Sha1: a206af3a411c3ba14cbf0600219ab1e506d4a9a2 1746132 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb 67dc3bfe003056ebe931cd46c806bd3200e125ab 858596 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb e8ee21418def7e654d17ffffb688c8dddc6b14cb 71400 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb b678e1789bae2b38ff9196713ad2aec2661a8c96 101336 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb 04a36d0099d61510631cee4c399b2243a58c6d46 9238 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386-buildd.buildinfo aa1a0205b9f8a30f80e33430c9d0a1ff61ea8774 734672 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb d163d56132b18205b9730bf099e70a74f9be120c 187620 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb 31269233f611ab03b7cffb492c94a04507df5163 191304 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb Checksums-Sha256: d3562537b512a9339dbb9d9acb52518530188fbdb0f066fccf7745d29db05a06 1746132 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb 673136a8ca02cd85ff639b7cdf49429ce6f10ccd8edcba029f8c580b752dec36 858596 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb af4283f326fb7006a24af33f1acf8494abd000d8293bc9698352408c117750bd 71400 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb cf664c017a2e682b83b2994f640d7beb659af17480f50e1c6149d5a6870120a6 101336 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb 852de740045260a1802d16a427d251cafa00f0d0750883e0eb2a0da391e518ee 9238 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386-buildd.buildinfo 361ae44454c7bbdb0a01a3564a9838a0fc5d32b563e4a7f03bcae8d4b484588b 734672 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb 50973e8dbfbae6ba82e7106c13bbc73fd8871c3036f36e485c4dc91e82ddeb89 187620 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb e0eb9bb7b3564de2cbb530be171c488b9cc11e6ba5b2fc64571b0a4806dc4a8c 191304 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb Files: fb406f9d680ff55488268fab588c73a6 1746132 debug optional libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb e08e3f0a40c3377774fdbe6825b0fb7e 858596 libdevel optional libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb 3c955d22e8c05c6215fe7f22c237eb6c 71400 debug optional libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb d0407fcff16f70c0c2f49ccedbdf3d8e 101336 text optional libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb a96a4b36a4c13454cc3bd01810838127 9238 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386-buildd.buildinfo 41db07dc59a4b355b8264cec7fcbf25d 734672 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb 167acf8375d20f3047a0c0a40fbb04d0 187620 debug optional python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb ee55eb6bc5175213bbd84bc3e646d28c 191304 python optional python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_i386.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEb5EwsJvHBEjqIJYIbheoBegwXLIFAmooZqcACgkQbheoBegw XLIfvg/+IkL1pNZ+NTvKZLOXJo5L+otq9i5kfMLGwv7OTXZNMF8wxeDAEy4qxWgx cdmLj+/ixPbGtOYJ9vVyZHrS/gYTMmhaSm+eCmjniH2HQLJ7nZJaZLn7lzJ97C4T X9CdiUoMLwDyKgjM+SbSRKVuoWf5xggLsJVLPVa6Hkq6IvE8NeDTlnnrZCccQdK4 aCWWgNCrHO1PA2CArSDhVpyzOb/ejIp7iMSDWtaYXAngK/izEUrGBXsS2q9MjKjm MGyNMHE/lxbqlUuFj3LghlN9K4o+0NeZmuHl76J+M8KE1YyZUadEmivjvAnRpZ18 oQWmHuHLK1khukTyOt67ZpG4DX0oKgJBitJHuPrKDrk0C/NFfPK7Blk8Yao9VOEo Dk0py/iWXXa8LSajvVgLnk/bdBho7puUFzZ2vbLojpFq36mlp5tlUDvfTqTVoVgc v4EQqFZ8P7WZdiXz/dinduQTZ3XnW0lJAO0CFqhmGzG5WcjAiGxYkrQgzZQoItP3 /3hk/S12gjM1T6uIh+eCzEBuSY0f3g9rlrWKKmVNFKokZDC06U0cE5cnkKDLOSEz pmFUec8xGc1Bx9jjzrM4fteZqFlIvkmRA7F5EOkJ05a8+eig84FK4KO3TofcV82C wTYFllvgqKU+KKH0YIUMt4eihSlj3DZZxfJpZsAZxblkrGJmA4E= =Jmg2 -----END PGP SIGNATURE-----