-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2026 17:53:53 +0200 Source: libxml2 Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym Architecture: mipsel Version: 2.9.14+dfsg-1.3~deb12u6 Distribution: bookworm Urgency: high Maintainer: mipsel Build Daemon (mipsel-osuosl-05) Changed-By: Guilhem Moulin Description: libxml2 - GNOME XML library libxml2-dev - GNOME XML library - development files libxml2-utils - GNOME XML library - utilities python3-libxml2 - GNOME XML library - Python3 bindings Closes: 1125691 1125695 1125696 Changes: libxml2 (2.9.14+dfsg-1.3~deb12u6) bookworm; urgency=high . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. Checksums-Sha1: 6885b3eed1f2dd82a85d061f6c1d5a26b170a369 1948552 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mipsel.deb c0f52bada9eb63a51e32902b8e118d6c76ce5d4a 809552 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_mipsel.deb 85f25f7314b87a47ff882a1023affd29c5e91d1a 79704 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_mipsel.deb e472d98fe611acabd51d4659adb797659c2fa612 97492 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_mipsel.deb 0e580fd89cf9503651d92cbe88b8c7bd4f93b8b3 9006 libxml2_2.9.14+dfsg-1.3~deb12u6_mipsel-buildd.buildinfo 49d39e9047cedb4206976a9aaea36deadcea8a10 601912 libxml2_2.9.14+dfsg-1.3~deb12u6_mipsel.deb e53825b46c24e3e98a58dcc106bdaebc396625b8 250736 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mipsel.deb c43996bef62ef6bd7872350f07fdaaaad98a635e 175732 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_mipsel.deb Checksums-Sha256: 1e1eff7f15523cbd6d2fe75182a4b9b792492c4ae6c0656211a31be8b31fa605 1948552 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mipsel.deb 88ac88093410ebc2f642f2807c2b2270b0900930dc3e2c69255e23148f2c3631 809552 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_mipsel.deb d321d15161204700006c3ce51ed499862d1585c252f74125ebcd82036dbcc118 79704 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_mipsel.deb 68a7218e7edf4ead74103e9985b45c22d52d03458cccbbdbce508eed8f9dac5f 97492 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_mipsel.deb 25249cc8d8f96138504f7712272a803048854ebbf12a2b15df5b73bd1a82722c 9006 libxml2_2.9.14+dfsg-1.3~deb12u6_mipsel-buildd.buildinfo bd1b5c726555611a2de34a8ec26fa867cc7a9ae3197d7e858843b59b481cabca 601912 libxml2_2.9.14+dfsg-1.3~deb12u6_mipsel.deb 22471f057649c6df2f95cf43c81f6303c3c0e7bc48b71a2c1e209b46ee3e3e4c 250736 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mipsel.deb f3029eaa8eefb7139c8a91a1d22708f752423b6fae803bc5d3c57a8a585bb9c9 175732 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_mipsel.deb Files: 56eea5cb6ed3ff911953df3604588434 1948552 debug optional libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mipsel.deb 022f0557e732b8d82d9dee09da1e8a00 809552 libdevel optional libxml2-dev_2.9.14+dfsg-1.3~deb12u6_mipsel.deb 709cdcb70c2920d5f66cd4c334ea7fa0 79704 debug optional libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_mipsel.deb 6a4035f952cf79829e429cc47ae21d44 97492 text optional libxml2-utils_2.9.14+dfsg-1.3~deb12u6_mipsel.deb 71f7c442152cc3abac11ffd8d6643418 9006 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_mipsel-buildd.buildinfo b2c5df3528297786ad51bcadca517cc6 601912 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_mipsel.deb d20536f9159109e06f6d43336b52f05c 250736 debug optional python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mipsel.deb 74d64e953423248f01dc2f68b5880114 175732 python optional python3-libxml2_2.9.14+dfsg-1.3~deb12u6_mipsel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE4ZxaH3zEHAF/GhnCHrk2gTKeWggFAmooagwACgkQHrk2gTKe WggmPw/8DzQBvTQFk09FKGZulrIGZMqeLD4nkcOa4rBZ6D5Q/ANI0Ne7YZOUiLj9 tmd/seLIGwkP90PRQSHlFkqiI83hykHNeYZNhExujsx10YvGmHlo2Kl9lvGNTWxE hUzqEAyr90tgV6J9q7+Yu7oKjlorpB4cFrVkYYFw3Ra17TJi0pdjqREIETXOp3Ge hU5QjDVAhQO1/4fvBWobUToAoQGXy18AFv8BBfDNS7sQRTpAQg+2lMth0d1tgZHL kiuT9j0Hx8Q+e8X09FjxMTefs0ezJ5UFRx75/PN2i8cSpBCaqFdNEhJgp162qiTf nAlpc/I62rJhWGLvWG3dNZBgOl3nJcmWn+FLn14PnEIeyjSSMC2LvkqwhwOtHuok fvanXTlbCPOnVxNvMFTHCaDAF2DjKXU9qVN59wTR5x1/9gu2rqCilg2cnd+Eezt1 pofYTh53vsbEwMFNVWE80zcjhF0SAar/OZSMJ4vC2yfBgDTSOLesWAla9TQ61BHQ iGCEd9SRbaYAxVKhhGFOJssyh8aEY49umxiqjMgQW/joE4PZGP0FjJ1zYmoMjjvd 1bXKwlh0dhB3D4VGZ2n1AYj9+7kMNG9VTOeDcCOKpgY9xvJJnBcUI/nZDkv4vty6 X1HQeRgSs1l5rTkK8EHwmmggS2/WT4gTO0YUfFrMFdQdrgAMx98= =w0qv -----END PGP SIGNATURE-----