-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 Jun 2026 17:53:53 +0200
Source: libxml2
Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym
Architecture: arm64
Version: 2.9.14+dfsg-1.3~deb12u6
Distribution: bookworm
Urgency: high
Maintainer: arm64 Build Daemon (arm-ubc-01) <buildd_arm64-arm-ubc-01@buildd.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 libxml2    - GNOME XML library
 libxml2-dev - GNOME XML library - development files
 libxml2-utils - GNOME XML library - utilities
 python3-libxml2 - GNOME XML library - Python3 bindings
Closes: 1125691 1125695 1125696
Changes:
 libxml2 (2.9.14+dfsg-1.3~deb12u6) bookworm; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause
     excessive recursion during parsing, which may lead to stack exhaustion and
     application crashes. The parser now enforces a limit on inclusion depth
     when resolving nested `<include>` directives; the limit defaults to 1000
     and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`.
     (Closes: #1125691)
   * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if
     a catalog has a URI delegate referencing itself, eventually resulting in a
     call stack overflow. (Closes: #1125695)
   * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled
     resource consumption when processing XML catalogs containing repeated
     `<nextCatalog>` elements pointing to the same downstream catalog.
     (Closes: #1125696)
   * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive
     pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()`
     recursively call each other without bounds until stack overflow.
   * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the
     xmllint interactive shell.
   * Fix unit tests for CVE-2025-49794 and -49796.
   * Backport some more upstream changes from v2.15.2:
     + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`.
     + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`.
     + Fix memory leak in `xmlTextWriterStartAttributeNS()`.
     + Schematron: Fix additional memory leaks on error paths.
     + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries.
Checksums-Sha1:
 5b91cbc28802ab18f67c8699072e66621049ecb4 1869980 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 e3bad289d06ea1a962ac7b0d13c7fa84815351c2 741256 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 ddcbee08b3e90f30b07f5a4b1538f43b5882f811 80240 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 de2a3ae22d51c5ea0fa35b362290571530272f2e 98544 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 f9bde6e5671c988c6c8926d592dd71da04c38a2c 9225 libxml2_2.9.14+dfsg-1.3~deb12u6_arm64-buildd.buildinfo
 b97023f848beddd3edd4150a9df01c5bf8646f33 620500 libxml2_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 f67bba055109bcbeff69b02821fcb0c012b46df3 241068 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 1bef2bc1282e491f52188e6e04af565bfd22faf8 185996 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_arm64.deb
Checksums-Sha256:
 4c10855b7481f6cd93c8bf9f4670ab8a66610dd8259011c4304f51c74fe9fa26 1869980 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 dd4ecc1c28855e2cc1e5d519cd355cde4d282941a45b99eb0781b2aaae10c81b 741256 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 406ab3f5faaaf9cf59fed97d5dfbeb52b4ecf553af30f4e0f835825237efc13c 80240 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 0f18eab5e4cce6b36760bf377a4893663a671cdce1f1645bfdc26f03b03c6be4 98544 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 13e665121ab5cbeae9ffabd400fc1b6a671d7051ac0580e66eee78de74a8706e 9225 libxml2_2.9.14+dfsg-1.3~deb12u6_arm64-buildd.buildinfo
 0bc00975e459387535a4bbabe98a398f0e77c9ab82474face18d01ae8ed0dae4 620500 libxml2_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 cde14fc04edade35aa2bbe18dd1fc8146ab3e05f7517045045f62a5e5f0db825 241068 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 5f8b89193360cffa5c2b71dc8d7f7dc4b757e11273a7bd83909b6edc2307326e 185996 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_arm64.deb
Files:
 a3a1f160ba12b8ca34a4df43236addad 1869980 debug optional libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 fff6abaf0f7a666f8b9754a30e64e43d 741256 libdevel optional libxml2-dev_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 5819842c7207f6a30709ab9d75945dc2 80240 debug optional libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 599851b67ab6d6b99dd93af26350d4e5 98544 text optional libxml2-utils_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 eaf2c9ff8ea796765af3c5f87b78ac9a 9225 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_arm64-buildd.buildinfo
 547d877e32c20c3d3f64804433ac54d5 620500 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 ccc05e75f0c54e7d605695a4d1819410 241068 debug optional python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_arm64.deb
 2dbdedffd17194b68e735889530f60d8 185996 python optional python3-libxml2_2.9.14+dfsg-1.3~deb12u6_arm64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0Ha//LlsGOpbQ/H4xqCFmsOWgoYFAmooaaoACgkQxqCFmsOW
goa8LxAAr7TkWhnUiWFeoFCT4m7uHxgwtK8obyAcvr8aiw6NvcIivCycFLz5KTDJ
4q/gj2YIFwN20d9fem2msPiz4scpBl8wo6qnBhovkrSD66ncnjxAnwTxkcLg5PqE
JzJMxImCJ5briIEUTi6UfgJP3G/7pqmOaQy/b4aVvJGDCVAidzcRiexD8gHFMj/j
YWCGtIwpXPu4lsi7eB4tGLKuL9K9K36GfAC8KCVqFn8LlS0vPlYkHbver4jnxhgr
G1dx01x22oH9q7A4bYhyCDWVgm8EvQbji09CtJTu1EbJ2DET3F6F+3SpmTWacyyb
gJaNnzpi+VUuXtDhPwls1SxvDoSNxn6IunB/AxI0ucYX3EFtXDyMPim2UfsVTrTU
znpoaKO+D7kgFAR/jUYlEwScz+55RZqA/DHfWbdvu52AehsdK9jLtCZJfHVI/iNR
YY7JZgfHkIf7nGiIC4aUaJQx1YD+xEdYa13N4lrSZ7UsmrUeMSlAaS1CdgTE248p
AhtuzGPz0AMZI84JyokMI4QvwO/QHIR9y6MwAapDSFvQaoIX3pPz0r2aIYfT9lTr
3XUS9THkg3MUJqjmVUdkTzeebzwngPwwTsQx68J+E1HBpQABNc6NITDBAw+OdX5y
zpuUpI6PJBENj3B+pOlhy/TxF0l3ozeLOQ1YBeZ8BNbH/9QrRz4=
=S1en
-----END PGP SIGNATURE-----