-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2026 19:02:23 +0200 Source: libxml2 Binary: libxml2-doc Architecture: all Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u3 Distribution: trixie Urgency: high Maintainer: all Build Daemon (x86-grnet-02) Changed-By: Guilhem Moulin Description: libxml2-doc - GNOME XML library - documentation Closes: 1125691 1125695 1125696 Changes: libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u3) trixie; urgency=high . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. * Add d/salsa-ci.yml for Salsa CI. Checksums-Sha1: 7bc63514ae6e891cfeba6ff5a76b604cf587e94a 668604 libxml2-doc_2.12.7+dfsg+really2.9.14-2.1+deb13u3_all.deb fddb147fba2716b6171aa07e141a685220b4e454 5750 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_all-buildd.buildinfo Checksums-Sha256: e85416db02598b4c2a8b14007a4c722b1278b40c164a3be3fd117340c5401326 668604 libxml2-doc_2.12.7+dfsg+really2.9.14-2.1+deb13u3_all.deb 2f988073d08728f60153c9a5a4b68a6acb0e7c12577f3b9cae493e9713d902de 5750 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_all-buildd.buildinfo Files: 36711f50a70e6a890f323eed057c6ead 668604 doc optional libxml2-doc_2.12.7+dfsg+really2.9.14-2.1+deb13u3_all.deb 96f7f7cdb436b8ee6d14310b9191e2ba 5750 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_all-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmooYrkACgkQmgPNRvTf /zcwGQ//WpTBnU3WH1j1rSQtrU564yTYnHbAqv7RjZecq+dCQh932+ufEvlIqvd2 R46F6785UHwd72JOYNJxMWOMYFfsbx09AIxolHmYUQ8NZBpH6d02QCE9ApUX/TjG iIUVskp5Ym1w34U7E6G1r3vOA0m01T3JKB0qeXuij4etIsq+n8HD5r0HHFWLTpH2 IdiJz8AjGHZBG/LT1jiDAkhD47xk5yDNXW2sBGvZQ8hE1mNGphp29Tdk+FdZsVCH KvisxaZ0ysdnbI1flIaiYhr9eu2tsb9Dyrwv+mfxfyPwejUOpkqXG+dEQHiihHo/ LkbjEtvAHtzcG8LBWcNQrz0nPS7xRC2WDXdcLHqHSNuU22gETGVk8Ez9JXpm6nQd XvBZv1a5FczLzxUpEXI9dpta+fpS9kPskRhB6Z/as8hJtQo3HLd4yXtLd5tV0irx jDKNT7UyCknF9vGONdN0gx5D73RYjQzCcKkdDwPW2Zhlr+uDMShl15xxKri+0bo+ pLptJMYLz/chpWH7VJmvSH34tDUjL7Iv7xk55ERFMfbLZ0VnXCdnAT5m5hQcN+nj q/ppBqDQG+BJqL5htu+thTm7K5G7A5KFE5UAVLCXYsTl5c220xGirkDciOq9tfmu Bgo/FmhdS3Sh5b0yhYHCjSC6PqgelVT6NmX5YDqLZlithihIB4A= =aJuD -----END PGP SIGNATURE-----