-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 Jun 2026 17:53:53 +0200
Source: libxml2
Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym
Architecture: s390x
Version: 2.9.14+dfsg-1.3~deb12u6
Distribution: bookworm
Urgency: high
Maintainer: s390x Build Daemon (zandonai) <buildd_s390x-zandonai@buildd.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 libxml2    - GNOME XML library
 libxml2-dev - GNOME XML library - development files
 libxml2-utils - GNOME XML library - utilities
 python3-libxml2 - GNOME XML library - Python3 bindings
Closes: 1125691 1125695 1125696
Changes:
 libxml2 (2.9.14+dfsg-1.3~deb12u6) bookworm; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause
     excessive recursion during parsing, which may lead to stack exhaustion and
     application crashes. The parser now enforces a limit on inclusion depth
     when resolving nested `<include>` directives; the limit defaults to 1000
     and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`.
     (Closes: #1125691)
   * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if
     a catalog has a URI delegate referencing itself, eventually resulting in a
     call stack overflow. (Closes: #1125695)
   * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled
     resource consumption when processing XML catalogs containing repeated
     `<nextCatalog>` elements pointing to the same downstream catalog.
     (Closes: #1125696)
   * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive
     pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()`
     recursively call each other without bounds until stack overflow.
   * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the
     xmllint interactive shell.
   * Fix unit tests for CVE-2025-49794 and -49796.
   * Backport some more upstream changes from v2.15.2:
     + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`.
     + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`.
     + Fix memory leak in `xmlTextWriterStartAttributeNS()`.
     + Schematron: Fix additional memory leaks on error paths.
     + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries.
Checksums-Sha1:
 f225fa3fe641aa3ea77e571f224825f99d75ad87 1872580 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 eb3743ce3769f84ddfb40115aad4f771b51e0b6d 712512 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 7377369dd7e342c98c505e55048d89671b689365 76836 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 3d620e504e52c8587a3c945e25b56268bce10efd 97772 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 1f20bd620ec274fdcc9de2132dcd0b779c4ee380 9081 libxml2_2.9.14+dfsg-1.3~deb12u6_s390x-buildd.buildinfo
 e42c074ee5d084a3ac8dd80411ab36808330eaa1 606644 libxml2_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 5dc25f3eaff942ced49dd7f5335e1c449fb6c092 243608 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 abec522b2515516e1087da55588ef6165962f16c 187264 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_s390x.deb
Checksums-Sha256:
 23a09ffe4128d38502fb7efca66796823f15f6f80fd9fbf2fa6837bf55548156 1872580 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 10695303065cb146332bb048c70388baef471b14138f7b0bc3be24022d9d8a12 712512 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 2ef54399c2ff652d948404e83e9e37417402d0214f0e27999dcc25458aed2e5f 76836 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 746dc0963c2a1037f50b462d7bacc8befd857de83e0470f9bc9c5001277c4e12 97772 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 8162699138fe0ad1b85074d14ef2f85ad2445e55bf14190ad1bfc1720dc4d895 9081 libxml2_2.9.14+dfsg-1.3~deb12u6_s390x-buildd.buildinfo
 c26ea6b4ece1fd6bfd31e6e22cfbb8760d0e5bd80478f5d5c2a73f9b74089cea 606644 libxml2_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 05c817747294a2101a84c6b2dc58f0acafcb2d7f0800a4e53496bc398c0408ee 243608 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 93341338a6ee2ea830d823b06f6652dfb7c25a6ab83a6085dea4bef8d2e707d0 187264 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_s390x.deb
Files:
 461eaa373e032c328ae9b3a03139b011 1872580 debug optional libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 a30d25219204451f8c16f461116218e0 712512 libdevel optional libxml2-dev_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 a38beeee94f4cee9cd298af0b3fd425f 76836 debug optional libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 16d65ae1561feb358cd390d53fd0db16 97772 text optional libxml2-utils_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 5723aa105b337475120f697c771187ff 9081 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_s390x-buildd.buildinfo
 32b23d5a9222d9fea7339a7c0e02f4f6 606644 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 6b932e19b4c5a9094c452f9172049192 243608 debug optional python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_s390x.deb
 1d5a656c0f69e5ae7e5fadc5997f5e0b 187264 python optional python3-libxml2_2.9.14+dfsg-1.3~deb12u6_s390x.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEENly2ANlpa4eeqnluvVOPI7pYNpgFAmooafQACgkQvVOPI7pY
NpioYA//TjHgRrRFhMkXYegM9unQBvSe6drqjzjd7YnHq+Aow4iCoEfFwDn6KspK
7x0Jg3YPDlKwJeGoVClJsdHVyynfttK57fka9YURf7WA7vjt0qdCKnz+ewO7XIXV
0uUSgQjAKXoKlphITvSN6Hgi0po3PwA85FYaGrqOr+uC87wIPpk7i0awaT5J9rj+
Gguci7QgTRP0SPsEAPXGrr9GzGgqKXeuunukSY/nm3bueoU/WDump+KpUpMfbvQb
UU7aiL1yZS1AC20Lo+UFRd0wUud7Kuso5ob7gMtxuOdeYBs5hXduUUrlyVN76zfn
t00zOAC+OuqHHL+Fk7fGAoYTWC7cLpY/G4uwbcKXRjCmDE4RkINUJTtaIcfHtaI7
EwWgrxDnSN84kqcl85q0g+moxmw15A9AUJnB+GGrHfDyEK6h5dPdqqBjmEKZHYV0
+G0FYBdw2x9hchpg8cnorR2/OJqghJWrEmzIDvRjR8GNbc9ztvCBEA2BHWu8klg6
aNbGSGyxPyxDt8QqAnyNTM6CnxZMcZZasYJj/yD6o17eLK+C1o07w5mN3yaw6/79
OXedZSLi1JJx5ousMsZlEhFpfUzP74XkIsBjhC5W/GQR8UynYZAWiygOYMVmKvmd
mE3cF5Q4gIL7e0nP5JbQfTEUTAuFGAxOIJcan7RN0RH6r6FU238=
=PanG
-----END PGP SIGNATURE-----
