-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2026 19:02:23 +0200 Source: libxml2 Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym Architecture: armel Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u3 Distribution: trixie Urgency: high Maintainer: armel Build Daemon (arm-ubc-04) Changed-By: Guilhem Moulin Description: libxml2 - GNOME XML library libxml2-dev - GNOME XML library - development files libxml2-utils - GNOME XML library - utilities python3-libxml2 - GNOME XML library - Python3 bindings Closes: 1125691 1125695 1125696 Changes: libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u3) trixie; urgency=high . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. * Add d/salsa-ci.yml for Salsa CI. Checksums-Sha1: f3183585b7396b37dd07784516654d07aa1a4306 1863868 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb 4b11210f2b8fee7015fa73157de591fdd52a2414 706020 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb 6dded7a7aa78438201494e90221cee78cbb21bde 77056 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb 5e033aaefe2de1f4ecbc88daba186270b72f47e2 99716 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb e80246fd71034b3f8f67d45e5aeea97c4cd4566f 9201 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel-buildd.buildinfo e497cfc8d4a53630d352c3948a520a7048bb7468 588784 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb 85364886be6f731e43d7cf8541faeeffef5454dc 255232 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb 1a7ab85cf737722ca2b2b235c53b3d890b1d1d1b 179768 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb Checksums-Sha256: d1016c6bb51a7531436c29b9a46720476b990441bb85bbf08f124bc4f21f7dc7 1863868 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb 983b911e81df130b5f53ba505f62c2424c5a21f987266e3f5dcf5437def909ca 706020 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb 96062c91545607d3aa56a674b7fa8e257a174586bd31ad5ad4dcddbfb430e7cb 77056 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb 438e801b9acc8195f4a8abf17a19982854af193bfa6b2630b7c4263281fa8811 99716 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb e9e11c9402aac4aa349da24d3f9534fc4ef537da32f5eca34528b72be4b05595 9201 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel-buildd.buildinfo c1e2bda146953a92f448efb14578beadd7c4bc322cd3c1e9a372b65668ac11d6 588784 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb a763afce0e0fe141ad89696b66c1bb4fcd50818ef9112d8f01a36e6e669db631 255232 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb a2250496470ba33ab2f43f75dac9eb8afaa81a42d2e3ed78d045779e792fb33e 179768 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb Files: 7c4dcd90007d1b599d32d64db7cb1c92 1863868 debug optional libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb 0971b93451da186b4f7ef3a5b627b7d4 706020 libdevel optional libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb e37d3bbe1ca292a734a62b1ff8755c01 77056 debug optional libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb 3dfacbe809b0f437420a62136a08cf1f 99716 text optional libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb c740695d00a95c2a0422916f7a207323 9201 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel-buildd.buildinfo 333f7bd591f070e997e388ddb08da168 588784 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb 6898c178ec4a06d903d510f4f200f94b 255232 debug optional python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb 6a69aec20b97eb21b07fca4c929e2cfa 179768 python optional python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_armel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECx5fXZYVNP9tMtwlK1PZBedPspoFAmooYvoACgkQK1PZBedP spoaUg//fT6907rLtVHnJXbWijygII78SDb3niF3FupoFfmKUub6aDEo8Mh3Pjgo H4P86pN5FC3Sq2TltFbs0yGHgaYHbGHkwIQyfuUl8gvZuIV8Xv9GwG+cZLgppXqZ h3TrKsK9HfbWCqhVyJAwJ+uHGjwXJnsynHte2ZzAFKaM7bL/zEqHT+h4oZVLlsNc PJSThmneR9+19cYb3ZSAW6piKTxjF5DDc4wNI+BVk924sRbenNhAy/R92uluqpOq 6NfcQjoy24Bb58HICOYSdMsjABsqmx7FTZkEQjnTMCcVcksCuq34C7GKN5fIQXGT mH0JndZesedqUxXCFylY0Xr/JkzkSDs1lZhPnD6jIwW0Bkc+SV59hsfP9klDTayg Qafvgwoq0lC3QleRYA6wKQdX6WKhRvrYcWbZTzaTIYLGEMfFRMvLLUihiVWmpdf4 e3kT9/WV4gnlhdIHSc4ESh3FfrlyYwsDuY2cXKyTcKFeaLnRPbqhGoN2YowmiiYE 9WbvWqucreQd4jp1dztd8W5z7dkJ92JbtZgOZO6DEEF2TfYRzC8de3qPLvkmH+fu lQ528G9MSDfh6OvkGNhWrfypUhJRtwjIBrTRhS9S1PF2ViiT+xU66D6jtP4njTV+ n5u9uY2Dfm+UbGPficsvfqzODF44/egeBaGaV5AzTw+H5gHOa5Q= =KRcC -----END PGP SIGNATURE-----