-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2026 19:02:23 +0200 Source: libxml2 Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym Architecture: riscv64 Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u3 Distribution: trixie Urgency: high Maintainer: riscv64 Build Daemon (rv-manda-03) Changed-By: Guilhem Moulin Description: libxml2 - GNOME XML library libxml2-dev - GNOME XML library - development files libxml2-utils - GNOME XML library - utilities python3-libxml2 - GNOME XML library - Python3 bindings Closes: 1125691 1125695 1125696 Changes: libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u3) trixie; urgency=high . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. * Add d/salsa-ci.yml for Salsa CI. Checksums-Sha1: 977a4080d3423ab4dc2a36f21e69619624adc818 1826500 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb 3340ee615c28814f38880f6c5376370469b12c25 1949880 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb 0bb383cfb49a506cb7466d4c71879410b4fd6ee0 76832 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb ae431c068f87b528c197875dd4223095637411fb 100456 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb 30088af161308bf8c073904255265691cbe924b2 9329 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64-buildd.buildinfo bcb8a80eb164eaa4a3b018007c5d665f77ba463c 710292 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb f51c878f6538cf26537a16c3077a9d9b6924565f 226660 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb 0b611a73e0db364d68d8aeec0048efae581c55a2 190964 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb Checksums-Sha256: 7f49efd95dfbe13df4670b788ce6948c1025916212db82e7cfe6fbb9f0a898f8 1826500 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb e7153814fe6e196ed1ea036788d1dfea4ae95a2c822a12e4590ea8dcf6a3bbd8 1949880 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb 134dfedce80dac01f3ef08d9d098ad77ff5673a648520128f3fdc5e165a3bb39 76832 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb 101ac3add7b223f327c9d39d56547cf14428865c8ca703b18854208b25b9cba2 100456 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb e385a2e64b3e93633b57e258cd3a8de9405f3dbb0f9a894e54f9bfd2510c26cd 9329 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64-buildd.buildinfo 77004ef1c170a52c598b66e305542b33b128e24289aee1a447203b3b625dc932 710292 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb 76c32144072ff5926a470be0f7902e959ee93b1a17f8a0f48fe5c0e2e89e718a 226660 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb a0c4ec4fe03a70992c88c32269ad017b205b080b4bad107784637e31db555978 190964 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb Files: 4820bfc198d47e8635f1a499fcece1e8 1826500 debug optional libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb ef926c3af029a09551869dbadd6abf52 1949880 libdevel optional libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb f53e23377499af4b41904007d4ae58e4 76832 debug optional libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb 5057a573f9b622da9faed9f88085bf34 100456 text optional libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb be997faa12e5004af0abda941d18c1dd 9329 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64-buildd.buildinfo b58868c039382c05d8a4404053a0dc60 710292 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb 0cad7be98f12ab33a39f81dcf6dd401a 226660 debug optional python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb 6347dd90068a6b1d104667bc5dcf4984 190964 python optional python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_riscv64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXZ9jHPkg/vETgMJZlJNduPxUf2oFAmooZ3oACgkQlJNduPxU f2paig//a+3gr2cuCWKznmsbyE98DRuBgf+fqxV7O2qIwKrEMPU3yoAqAG0LjaBa i56omj7SzwHmJQK4KqUEtoz2oWoRcT0JBEG2W+Im5wo0T2QY35X5DCS1vA+V49Lt pL1IeABGLF2wOln/GIh7wA3D5XPwPG9Q82uA9VJl8wBxVDbRxG+B+1QXkMGwtS2v /KQ99UolAFVW0F9wHZ+QFI7Sy0qjifDCTKTRE4wIXPda9/wkiuf4Yr/IDFDtnPNY s00VxFVzQmONvT6bLlUt/6aMoLzg4SDK2moVxglbR6J+gFaA7tbwnDaIFOCTznDv AdExqLta7maO6IS5xgRb84XB8LktM8WV5la15bd8aMm9L2XULHgBf/Qw25Fgn+Nn xYZlj8KE2pfDxaiYZyGjRTwFw8H+s/Klmw9tiOQyevTRBnfVoqyYe8dA7jecqoXs OeqL4r+KjHUpra94QSJAPhRcPTtaNZ6JWXv6CyaGyCcvpRY9/EEoH3SlLw7ooVl7 rbaOVgyFJ7rf/aL7GVr7FbvHJN9rS8buGuzj4BIHPbmEJU5HcHuBJEigpXQLVkiH XOrcerhCQv3zQwUNEd2iK/AHdFdaVquFb09ZuQXlrzVucrAxsVNgyC5RNU9PLtEJ kZQ1PNA+8IL4JOF4dCyF5RN+/DraC9ZrySqHrakB60yjy5FZzJc= =dIBO -----END PGP SIGNATURE-----