-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2026 17:53:53 +0200 Source: libxml2 Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym Architecture: s390x Version: 2.9.14+dfsg-1.3~deb12u6 Distribution: bookworm Urgency: high Maintainer: s390x Build Daemon (zandonai) Changed-By: Guilhem Moulin Description: libxml2 - GNOME XML library libxml2-dev - GNOME XML library - development files libxml2-utils - GNOME XML library - utilities python3-libxml2 - GNOME XML library - Python3 bindings Closes: 1125691 1125695 1125696 Changes: libxml2 (2.9.14+dfsg-1.3~deb12u6) bookworm; urgency=high . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. Checksums-Sha1: f225fa3fe641aa3ea77e571f224825f99d75ad87 1872580 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb eb3743ce3769f84ddfb40115aad4f771b51e0b6d 712512 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_s390x.deb 7377369dd7e342c98c505e55048d89671b689365 76836 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb 3d620e504e52c8587a3c945e25b56268bce10efd 97772 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_s390x.deb 1f20bd620ec274fdcc9de2132dcd0b779c4ee380 9081 libxml2_2.9.14+dfsg-1.3~deb12u6_s390x-buildd.buildinfo e42c074ee5d084a3ac8dd80411ab36808330eaa1 606644 libxml2_2.9.14+dfsg-1.3~deb12u6_s390x.deb 5dc25f3eaff942ced49dd7f5335e1c449fb6c092 243608 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb abec522b2515516e1087da55588ef6165962f16c 187264 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_s390x.deb Checksums-Sha256: 23a09ffe4128d38502fb7efca66796823f15f6f80fd9fbf2fa6837bf55548156 1872580 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb 10695303065cb146332bb048c70388baef471b14138f7b0bc3be24022d9d8a12 712512 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_s390x.deb 2ef54399c2ff652d948404e83e9e37417402d0214f0e27999dcc25458aed2e5f 76836 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb 746dc0963c2a1037f50b462d7bacc8befd857de83e0470f9bc9c5001277c4e12 97772 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_s390x.deb 8162699138fe0ad1b85074d14ef2f85ad2445e55bf14190ad1bfc1720dc4d895 9081 libxml2_2.9.14+dfsg-1.3~deb12u6_s390x-buildd.buildinfo c26ea6b4ece1fd6bfd31e6e22cfbb8760d0e5bd80478f5d5c2a73f9b74089cea 606644 libxml2_2.9.14+dfsg-1.3~deb12u6_s390x.deb 05c817747294a2101a84c6b2dc58f0acafcb2d7f0800a4e53496bc398c0408ee 243608 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb 93341338a6ee2ea830d823b06f6652dfb7c25a6ab83a6085dea4bef8d2e707d0 187264 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_s390x.deb Files: 461eaa373e032c328ae9b3a03139b011 1872580 debug optional libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb a30d25219204451f8c16f461116218e0 712512 libdevel optional libxml2-dev_2.9.14+dfsg-1.3~deb12u6_s390x.deb a38beeee94f4cee9cd298af0b3fd425f 76836 debug optional libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb 16d65ae1561feb358cd390d53fd0db16 97772 text optional libxml2-utils_2.9.14+dfsg-1.3~deb12u6_s390x.deb 5723aa105b337475120f697c771187ff 9081 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_s390x-buildd.buildinfo 32b23d5a9222d9fea7339a7c0e02f4f6 606644 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_s390x.deb 6b932e19b4c5a9094c452f9172049192 243608 debug optional python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb 1d5a656c0f69e5ae7e5fadc5997f5e0b 187264 python optional python3-libxml2_2.9.14+dfsg-1.3~deb12u6_s390x.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEENly2ANlpa4eeqnluvVOPI7pYNpgFAmooafQACgkQvVOPI7pY NpioYA//TjHgRrRFhMkXYegM9unQBvSe6drqjzjd7YnHq+Aow4iCoEfFwDn6KspK 7x0Jg3YPDlKwJeGoVClJsdHVyynfttK57fka9YURf7WA7vjt0qdCKnz+ewO7XIXV 0uUSgQjAKXoKlphITvSN6Hgi0po3PwA85FYaGrqOr+uC87wIPpk7i0awaT5J9rj+ Gguci7QgTRP0SPsEAPXGrr9GzGgqKXeuunukSY/nm3bueoU/WDump+KpUpMfbvQb UU7aiL1yZS1AC20Lo+UFRd0wUud7Kuso5ob7gMtxuOdeYBs5hXduUUrlyVN76zfn t00zOAC+OuqHHL+Fk7fGAoYTWC7cLpY/G4uwbcKXRjCmDE4RkINUJTtaIcfHtaI7 EwWgrxDnSN84kqcl85q0g+moxmw15A9AUJnB+GGrHfDyEK6h5dPdqqBjmEKZHYV0 +G0FYBdw2x9hchpg8cnorR2/OJqghJWrEmzIDvRjR8GNbc9ztvCBEA2BHWu8klg6 aNbGSGyxPyxDt8QqAnyNTM6CnxZMcZZasYJj/yD6o17eLK+C1o07w5mN3yaw6/79 OXedZSLi1JJx5ousMsZlEhFpfUzP74XkIsBjhC5W/GQR8UynYZAWiygOYMVmKvmd mE3cF5Q4gIL7e0nP5JbQfTEUTAuFGAxOIJcan7RN0RH6r6FU238= =PanG -----END PGP SIGNATURE-----