-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2026 19:02:23 +0200 Source: libxml2 Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym Architecture: ppc64el Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u3 Distribution: trixie Urgency: high Maintainer: ppc64el Build Daemon (ppc64el-osuosl-02) Changed-By: Guilhem Moulin Description: libxml2 - GNOME XML library libxml2-dev - GNOME XML library - development files libxml2-utils - GNOME XML library - utilities python3-libxml2 - GNOME XML library - Python3 bindings Closes: 1125691 1125695 1125696 Changes: libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u3) trixie; urgency=high . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. * Add d/salsa-ci.yml for Salsa CI. Checksums-Sha1: 01e1ffa8153f753261f46488dab52afb0ef975a3 2001412 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb 8956519ba9d4a50e7d9d762ce2a932ab38b2d557 865444 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb 5c268f1d713a915ab7269227563f5e4a8dd95928 81048 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb 8bd33146832b781a834c9defbcb0bb1bc7c9f0c7 102284 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb 4c00d959b39063392c9752a360befd854edb0dc8 9381 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el-buildd.buildinfo eab120a9bc4e2db1a2ce9ee8fc4e9c6092dbaf2c 731808 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb 1bc78c5a651b14b455483368d8795542772c545c 254716 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb 4fd43bd3f7929bc3098fd6d3bef4cdb1a11c8bcf 190436 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb Checksums-Sha256: 3251c4dbf41370571e36e6caad1517973dc5564bc4db8365dfc113b6a97ab09f 2001412 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb 1a6dcfe46088393a18d9b1f29a1849358739e4b7d90cf3482137cbf6128b4d4e 865444 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb b2c723fd6ee17e3e0a0c1bf3eb50d9b81b63727e136581f912a290d03f83f839 81048 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb aeeecddc995a09552e5376f3ff6088f584ae4f44e397eb85834e795ba8e32ced 102284 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb 862a4c72335c75e93a27e1d84a12e60815bb57dbba9b3d5cd2ce6afc10b41425 9381 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el-buildd.buildinfo 8c7fa41a7a6cda30297b6f6122ac5cb8bbd263cdb16b6071699787a566da4b45 731808 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb 06270625b9eb0a221cc45ec18628eaba62937a3f3f03f77dac9d65f08097a673 254716 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb 89fb3d8a5cd628a6c758a75d8e5399c9c08c108fb322f722df51ed4fbdea164d 190436 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb Files: 15bb372148470d7e8c7dfaf92d51a83a 2001412 debug optional libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb e51c845eb3e0dce20fc6e03c4d6e125e 865444 libdevel optional libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb dffad544cfb47171507b04b7ca081208 81048 debug optional libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb b7be968aa34b1729c6b8c47a79e35081 102284 text optional libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb 242e9d6cd325511425040b34695df020 9381 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el-buildd.buildinfo 406cd853ce442be4630c32bee6a1d52d 731808 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb 1fc0707f2206994cbb48526b1e7b2924 254716 debug optional python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb aac89e0044712ddd4579c1604485ff61 190436 python optional python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_ppc64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9ibmwdV9gdKNbK7oV8ucRsMTpuMFAmooYvkACgkQV8ucRsMT puON4g/+Kp94nJJxG0e4AkrMMRVtEO04s3uPg7CzOPhQ3LXDHebJ9NgHB74fUDgV E7TN+qYwRXfgnVBDUSw5Ez4AoQ3AbY9H8MIhbn1MidcAYH9NLL5mtAwUq4KNcRmc elehNIZTZdc5pWXADSdTF5GcA/yXa8YwOQNzI0gsPyWaYXv+DBr9HiI5Zxx2AJzE Sj8mG8jLb2VM4CoGkWHy7+JXfDHgyl9wMigtnbt62kLJ64dF6VOmXuaZqvm44T3i G3PSQG40fsOspKf+KHkhitATsBbnzAN+mVlotIAE/x0ishYmkeJuLNB7vB536DAW c5YNXyE3Q6r3BR3cHxM2c3QDPIBAuuup66aSDULrG/Q4GNw1dFRqnbebnF2gZUYw I8r1fqravNRzvP+ykh40v7yx/r2k5M2yDISpxhXNX8CawGMTfHs0Z2HwDrIwvN7J rnaoltMKl+Bx4Zg/uBsOePbtq0NkmyJx1YnQCTH0atMzCP7WIABVAIYVpbgfd7db ZB9Kh/87mg5HOzrjloHwR9EWHRQz8aziexNe2mDuRxd+C2gkY0/FRIt8EDeLsRLZ zHSHbTFqh3R1gtJczjud3NIWwEKT/a7Eha7cxc/oox/s3tp7hkbj4f7hEoa5An3t Xoe/YsvvM+nRAsFNmuSDBLJA1rbu+jDknm75ZouCj4feLKg3z68= =CwwO -----END PGP SIGNATURE-----