-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2026 19:02:23 +0200 Source: libxml2 Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym Architecture: s390x Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u3 Distribution: trixie Urgency: high Maintainer: s390x Build Daemon (zani) Changed-By: Guilhem Moulin Description: libxml2 - GNOME XML library libxml2-dev - GNOME XML library - development files libxml2-utils - GNOME XML library - utilities python3-libxml2 - GNOME XML library - Python3 bindings Closes: 1125691 1125695 1125696 Changes: libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u3) trixie; urgency=high . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. * Add d/salsa-ci.yml for Salsa CI. Checksums-Sha1: ad0eef0e273a6198f561d606808ea84959a5a897 1947576 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb 03971528d738de08c3a1d0811e3d6e993225a564 782844 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb 46d17d9a2609489b7403b401e77076b855a3263f 77752 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb 01e37465ce880740ca7668a107e636837bcdeb94 100480 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb f19e98ab02fd60d5f55450d01782a990c5480126 9214 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x-buildd.buildinfo 836e068f6c9f5808c97997ee76ac68b40fec61ec 673152 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb 16cc81828bae607180333ebf2f18a1522d9592d4 248792 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb 8100d1ad8ea7928be640f70faf199b0933e8c1ad 189972 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb Checksums-Sha256: 3f6bc2850bf0b04a1cdcac8fa6975233a9755a80e2167572b02bd14ad34df9ac 1947576 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb a16029e0ef3812c2152b8f1146da31aa94ed81031f9dace0438da582872e3809 782844 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb 3778ce5fae14dc592e8b8cfb12fdd4b6b65324db531064ae0439745dcfdbee5f 77752 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb b7fd27baf013174199b8cd2a792c73c753a6dac2bca03839527d3885421f4b41 100480 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb 74021198f41a275853a6ab6d4096ac9b053dbf9cba05630eb9641d15b94b4567 9214 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x-buildd.buildinfo 241a98dde09b3904e84bde2acea63cf935f5b345806e25ce2526d24db8786324 673152 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb 7b3552e09a3c43f2c57a4e1d7a0a587926fc1879b6cc3d3c605f4ce785d48845 248792 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb 5cd29aa33c8922f8e61c33496369031c08b5046f60f9371a767c6b8b85954f81 189972 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb Files: cfc4d27b45da4cf9f69ea52f910797a4 1947576 debug optional libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb bbfa17d9ea41ba67effe81871b890482 782844 libdevel optional libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb 78cfea67f55899c50f7b384a23dc8275 77752 debug optional libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb c7304c852ec3027226979ced85708986 100480 text optional libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb 96e7eef327d2e515fbf9cc7ad0dc5cbc 9214 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x-buildd.buildinfo 0540b3621acb7d84fff378c8b7add32a 673152 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb bc17f65ec9b0bb0d9eb470aa6f1c6028 248792 debug optional python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb 5f3c02f32a9d74f9ed76e2ac45a98324 189972 python optional python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_s390x.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEgh4msZ+e2PZfd5KckaCrxAR3BY0FAmooYrQACgkQkaCrxAR3 BY3UOg//VLCAjMbdfyOjmPzIa03NUuWgOAQt8uD07l7OzovRkE2nWE87VgnVR7sF 5X6ptYeZ4o1N/IJlEDoL5JbX51QsqPoaQ1JZdjDplX7GsF4vXg9RG2ixx2CaRZk4 7aONlb56cMnQKBA/Qv5g0J+SHuBTqLMMd6xBz5XM7/y9N9piDGm43YbNQk0Ykzdu klfRptaCmI9YmK3+v6UQW0aa7HUm69+rSeEyn/H4QgOXnsJVVnHiRxyTbRBZSg9b bZ47w5MCocURBOngXaHwlNrcIuY9oDxVr1Wc9R4yQcJpXhlsZe5F/ltaZqRy+SzW gOaYckmAngJEW7WUkr6XwvtY0QGeCpoXvCAtYmXdXUdnCu1Tk0X59I+FgFV9iCoB 2/RMr7q/gUKALotNZLBnU5Rf0CRO0TYgLbQdGV+d3kkGpa+9FRyDMIpMzd3gFP8F qtIKHEdi3IH05lApM3QU11vvm2P/4XalcbqijY50xeWQXPDKv0Xiy/Uu4RI+6qwT ZDgHygmyXJoMbGApSOiMqOykU4Y40CY3d4KB3KJKTfAoPx1rzLiS3ZUa0WcaPeVK +VrGi/Mvmqb2L4o2JKzgQ++Ee6I5dFf521ulSw0TDqYT5Ah5xzoCgRE3zXRXNDNB XcGN5dUcn17ozmer3QoOzP7kpxulev9LCjtvOblNgrrMq82V1QY= =Zjpw -----END PGP SIGNATURE-----