-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2026 19:02:23 +0200 Source: libxml2 Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym Architecture: arm64 Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u3 Distribution: trixie Urgency: high Maintainer: arm64 Build Daemon (arm-ubc-01) Changed-By: Guilhem Moulin Description: libxml2 - GNOME XML library libxml2-dev - GNOME XML library - development files libxml2-utils - GNOME XML library - utilities python3-libxml2 - GNOME XML library - Python3 bindings Closes: 1125691 1125695 1125696 Changes: libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u3) trixie; urgency=high . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. * Add d/salsa-ci.yml for Salsa CI. Checksums-Sha1: b469d6920136de155ee123afb5af53d8a5d779fe 1897928 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb ae76b0ab3b03c6bc163e6dab4381c324c132c06f 753452 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb b659948248949829118db4f21d86555dd2cc650f 80616 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb 039ed2480f093c28b035d6d13fe4548da0284e21 99508 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb 5118cee3596aa7ce39ff6af214a91643a7324f75 9333 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64-buildd.buildinfo 2134e5dafdd15479196fd07e3362c3d3424832da 631428 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb 98589b5a4e98456435af6bb827fcea78d052f669 247504 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb 0a64c98f7c98eaf5dfdb3a7bbde37a7664962a2b 186932 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb Checksums-Sha256: 52a2f9d187ccaca4753dbfe16cca5539bbc4aa91f80b23506f4eb1eef15de5cf 1897928 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb f8113dcd311bcef8f98264971c39e66ca93db60ed0a38730bd86911d54d06129 753452 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb 1552cfcdf62b88808bc900acc1756cc1bbb826ff6c064301183a4ad178692f97 80616 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb 8fe018b0270315582f1fbb40cea2df2972ff77bc8faac516d71b92280622c97f 99508 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb c985594a94454615cd7d8102e5869c6e2c67527db3114086167fe130c61f0663 9333 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64-buildd.buildinfo a66b9c960acef8ed9653223cbd00b155a92ebb758ea13a788c41609246c23bc7 631428 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb afe15d61c91038b4ea4ca96815af27938285c5ffea6162b74a89e9c330c7b9d1 247504 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb 6f93f438927402884a9cdd2cc1bc1d257c2f979deb2ffeb2ee09e2e9baa84450 186932 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb Files: 99d059667f3c968f5a8b4569f18e6124 1897928 debug optional libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb bb61961673186cf7493af9bbc9b3d88b 753452 libdevel optional libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb ceb181eaa5d5b27740008e123f4d3eeb 80616 debug optional libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb 14777b9b4a40cec40053a2a3a714b9bf 99508 text optional libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb 4643e405036213df8e39a1e6dcc063b7 9333 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64-buildd.buildinfo a9e8d99406f5d5185074c9cb4523cec9 631428 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb f1159f50eb1a27641f638ac08435347b 247504 debug optional python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb 4887e147fd65c290d45773cb0904e362 186932 python optional python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0Ha//LlsGOpbQ/H4xqCFmsOWgoYFAmooYtAACgkQxqCFmsOW goYAxw//bbI4T1XSKREPImuJNGWlvW6zW8mrwhdMAcYgxLmB8g2LDyxBZttzIzMm QKLolza4EqiIrSF1XbhtjTIKpcFUYmosRd4YdbTbVaNxM22sys3Z+JNzez8kA1ID pvrjmqv2JXTtKTUE3XszlUm27tnHHg6qqGCe/e0WNHHMw86ha+GGSocU9COfQgbX gbuDHW6G40xRgn25mIk5KbMe33r0PIWAs53ff3+3jkwZ9GIJVEJRjZ8v/12zo1lL 4bvxK8nJ3+Hog2h/j/gYzb4Js0bEp4r10Q39/yS7Zz5m310IKTdJqbWlm1uPLtKY X09dJdpkQ+fHkOPYBILOn0cX0CJSyNg639dwm2/fenpEZ37A4DWwozdx0dssG9KE rMioXWiKPLZV/Fso6CNx7+COrbobFpWpEQwVQBa5R0GZ9sMAi1ysa64Dxr33uk9h snSsVZs6i+BAoWMhryLrAK2pO0VaN6GXEhve+bjLd2s/FmjiIPnYwqdYzuYkAgHm 7fZo85FmuFutvpHryv/3nLjV70Y0GoF31aid8j4Zw+mTMaF6t2YeKXccrDb6fUYo URsobva5C659gJgIKn1ErKgMmvRVWbl1DgLGg+Tj5/hRJO5eWw//xxfxQ3gcmvF1 5YcGTXC9piMUdOztC8MIXlWQEZlnwv/mDcKeNNhpMH+aMvNvjiw= =glHS -----END PGP SIGNATURE-----