-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 Jun 2026 17:53:53 +0200
Source: libxml2
Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym
Architecture: i386
Version: 2.9.14+dfsg-1.3~deb12u6
Distribution: bookworm
Urgency: high
Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) <buildd_amd64-x86-ubc-02@buildd.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 libxml2    - GNOME XML library
 libxml2-dev - GNOME XML library - development files
 libxml2-utils - GNOME XML library - utilities
 python3-libxml2 - GNOME XML library - Python3 bindings
Closes: 1125691 1125695 1125696
Changes:
 libxml2 (2.9.14+dfsg-1.3~deb12u6) bookworm; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause
     excessive recursion during parsing, which may lead to stack exhaustion and
     application crashes. The parser now enforces a limit on inclusion depth
     when resolving nested `<include>` directives; the limit defaults to 1000
     and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`.
     (Closes: #1125691)
   * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if
     a catalog has a URI delegate referencing itself, eventually resulting in a
     call stack overflow. (Closes: #1125695)
   * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled
     resource consumption when processing XML catalogs containing repeated
     `<nextCatalog>` elements pointing to the same downstream catalog.
     (Closes: #1125696)
   * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive
     pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()`
     recursively call each other without bounds until stack overflow.
   * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the
     xmllint interactive shell.
   * Fix unit tests for CVE-2025-49794 and -49796.
   * Backport some more upstream changes from v2.15.2:
     + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`.
     + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`.
     + Fix memory leak in `xmlTextWriterStartAttributeNS()`.
     + Schematron: Fix additional memory leaks on error paths.
     + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries.
Checksums-Sha1:
 8772bb899b313046f364da15994f44c3a86acd23 1711668 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_i386.deb
 260cdacff30005d3f3fe49ed532e7ea7f2f01ea5 848048 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_i386.deb
 5ee91a9a42c1b8d0fd22aacc6cf14b704848f5da 71024 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_i386.deb
 f23f43da4725e2cd6959d78be0f312ddbee638bf 100440 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_i386.deb
 5e453c17ea268790ec6257fd2fe68ba66229e55c 9122 libxml2_2.9.14+dfsg-1.3~deb12u6_i386-buildd.buildinfo
 b94cb050ec4f1327e4aaaf688da330dd1556e737 722380 libxml2_2.9.14+dfsg-1.3~deb12u6_i386.deb
 2f4efae79197e551a18d565035dd315785ead6d8 181632 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_i386.deb
 07fef1cd46fa2de599caec7840a323f549f6e7e1 189660 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_i386.deb
Checksums-Sha256:
 74740d3b458e516ebbf1172c44b7cef1e192a5bc6dc2b99bf83376b1a285d5e3 1711668 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_i386.deb
 cf871933cd74bd02d8b34db3dd2e1c75a6b911f8be2ed606660d1c451eb8d80b 848048 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_i386.deb
 88aaa88dae87429021aff1a6c28518df5f98fb35262d64370f8e7ac40f515236 71024 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_i386.deb
 a3045efadb3b7d752c36736a6ee723a0e59a1a55ebf925fc15b263747b830ecd 100440 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_i386.deb
 77c45fb671e4bdd3b030026aadb4246f302cb3a65c1982d0ed21cd2c46ae2fe5 9122 libxml2_2.9.14+dfsg-1.3~deb12u6_i386-buildd.buildinfo
 56e525a42ebec9e88ebcbf352c72d98dc0536557dc3459fce97f3e28d8ec89df 722380 libxml2_2.9.14+dfsg-1.3~deb12u6_i386.deb
 07e68dd901254a5d4b8873200a18ca813071d1a090de16dc263ff13edffe2110 181632 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_i386.deb
 00803301718207e3f9d5678539eef79254672305ee2f52301816bc55fafc62a5 189660 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_i386.deb
Files:
 44ad2b1a672e231273d350f0d8e7e1da 1711668 debug optional libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_i386.deb
 f8bacf8e21c64af7fea75408793247fe 848048 libdevel optional libxml2-dev_2.9.14+dfsg-1.3~deb12u6_i386.deb
 28f74bd527ada7324473b079a156655b 71024 debug optional libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_i386.deb
 84bb1d8731dff3ca748c7f12a5965f03 100440 text optional libxml2-utils_2.9.14+dfsg-1.3~deb12u6_i386.deb
 f1e85d7bed7aa0f8277fd5a670e79679 9122 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_i386-buildd.buildinfo
 297ef1c88f2be03f44f3b69186af9f7c 722380 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_i386.deb
 b1b63e1480186e8b427bb989731ecbed 181632 debug optional python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_i386.deb
 0ec6e2169a1141074419f357c341be6f 189660 python optional python3-libxml2_2.9.14+dfsg-1.3~deb12u6_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEb5EwsJvHBEjqIJYIbheoBegwXLIFAmooacQACgkQbheoBegw
XLK5LRAAkaOZ9WuH3Z4zJEJyQjEnImPPyrqi5/dCHUpmolMrodjlUPxvU7pAGz+m
tjN6rq9FC0cAluDCAcH0673YMsXdj74cY+/OCXDldk3GYQfZh9vABPXOw6ckpZdm
MejGOEeyuEglTp0UKH3OsY55ZtuTsHd6PSujwnpQ/xlFAecBBuFoFOqePbsCWYSM
vwYOvHTEEdiKwY6ZY/m5uMnNnPgYmrq6DxyijNFmHspElJXPkIH9V5+mXGck17Oc
u9HblTvkIw8vZrMxGKcIyyUyvM9DrcIyFw2eb5iJXENrkcYIkT2O7G8Qw3jg4GMG
iQvsfhmdgFlGVTzEX9kUiS/64yC1Sx5/cLAYVE94GLJTc4nJQI9qncz5RoK12Qbd
Agm5gfz99yOGelccyX1ce8spbVHE2HpCmf1ZdL8Rv/ufC50gJYUNat8ilAK15MxK
6w5hvviOnIttGl/aktV1cVyDX1TSLhvSEknDmkdn55KS+HTiOKAbnndAjjQN/ls+
61fUV4DdHT8G8I3s5dlNGbHhbLm7k0srDRxQPsYmIRPKPPixLlBwOEbN5ZpfRMKF
mtuzYLh899tPezfR02ygt5euzs9dAmb9MlXHDTUEExNJ5iSlx+DZUy2z4CrUgsVV
GjCnvH3wzRsUL+soyUvIVeD5OLqaphJIXzeBlmGvyxDB/U21x2o=
=v4Xt
-----END PGP SIGNATURE-----