-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 Jun 2026 17:53:53 +0200
Source: libxml2
Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym
Architecture: armhf
Version: 2.9.14+dfsg-1.3~deb12u6
Distribution: bookworm
Urgency: high
Maintainer: armhf Build Daemon (arm-ubc-05) <buildd_arm64-arm-ubc-05@buildd.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 libxml2    - GNOME XML library
 libxml2-dev - GNOME XML library - development files
 libxml2-utils - GNOME XML library - utilities
 python3-libxml2 - GNOME XML library - Python3 bindings
Closes: 1125691 1125695 1125696
Changes:
 libxml2 (2.9.14+dfsg-1.3~deb12u6) bookworm; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause
     excessive recursion during parsing, which may lead to stack exhaustion and
     application crashes. The parser now enforces a limit on inclusion depth
     when resolving nested `<include>` directives; the limit defaults to 1000
     and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`.
     (Closes: #1125691)
   * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if
     a catalog has a URI delegate referencing itself, eventually resulting in a
     call stack overflow. (Closes: #1125695)
   * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled
     resource consumption when processing XML catalogs containing repeated
     `<nextCatalog>` elements pointing to the same downstream catalog.
     (Closes: #1125696)
   * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive
     pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()`
     recursively call each other without bounds until stack overflow.
   * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the
     xmllint interactive shell.
   * Fix unit tests for CVE-2025-49794 and -49796.
   * Backport some more upstream changes from v2.15.2:
     + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`.
     + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`.
     + Fix memory leak in `xmlTextWriterStartAttributeNS()`.
     + Schematron: Fix additional memory leaks on error paths.
     + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries.
Checksums-Sha1:
 ba3e1f068676fb8b11da8e9981bdf3234db37797 1870904 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 bf6ceef64f99eb22692315a0f8cf56b340c3f59e 711436 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 632e120f3e29a6235970c50781a22ea40c3669f6 77296 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 9531bf569b1e998ec099ea5d937db889817bfd6f 98896 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 31175679db9a87e4978f2f5fbad852faa9351b2e 9069 libxml2_2.9.14+dfsg-1.3~deb12u6_armhf-buildd.buildinfo
 7a56a5dda262d5674ea2467993e7e0674b36c540 593376 libxml2_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 d03ce5d619c61ee72f2188236b2c04e814e1c692 244752 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 c1282a63581771ea1b5e2e1e4a76afc358940d52 179464 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_armhf.deb
Checksums-Sha256:
 314d053d983168ee88af966a83d48450806452facb8c04816b14a43e2654a3d6 1870904 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 898c9cc0a634c35d2cb7553a41a0c6ff8f94d5d01e06d18745d6c4ce52c349c0 711436 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 89e7bf82c003f0da8efb1335ceb9040faec457ee82d62a1aca79a14d2344a6bb 77296 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 c4396208bc717aa49366a3280eceac0e05b709ba7c495a47ca0ca4b3d5010c29 98896 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 7f5506b418dd78e26f190e166c67e0da656a8893aeb96a68ff04dc3109d14a07 9069 libxml2_2.9.14+dfsg-1.3~deb12u6_armhf-buildd.buildinfo
 fc424bafeacaa07084c9f7ebc2b3801d60b3295a6f958860e68a3ebd334d1a6a 593376 libxml2_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 c8f1afe061bbf8cc8f6ce272a79733268b6225fecc938c44038fca2f4e769cd2 244752 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 fdef0587f83b73f66fba22662f9fc8b598d38c1760136bf2b38788301a61808a 179464 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_armhf.deb
Files:
 fd646b32563e1506326ee3331312ea32 1870904 debug optional libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 8c8c8a7d95c7eee14e570739477a574e 711436 libdevel optional libxml2-dev_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 14e7c98e3497beda4feb4485a2f83707 77296 debug optional libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 a8aa782dde70d419e77084ab9d0efe87 98896 text optional libxml2-utils_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 a44889ca244ea8c4129dd053a436f514 9069 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_armhf-buildd.buildinfo
 3d6ab1ed467d113e7ac50321052627b6 593376 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 3b24f1008f65025ede9fbb0ef03b6b5d 244752 debug optional python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_armhf.deb
 72c19bf45db198e5c0a64a67a89cfe20 179464 python optional python3-libxml2_2.9.14+dfsg-1.3~deb12u6_armhf.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7rv+l3KtZdQea77lnwznazfjXToFAmooabcACgkQnwznazfj
XTrM5w/9GuBzle2Qfh2EyM+YwvueRpB8YNS0NdfMiZpJojQRpFh7Y0mpvrc/5g6z
RyEsAvzlBDYi8/WxSsUlbWZWntJ2svWb7fDTiSfVbelxX1nW5NPgkUl7A559E8zb
F8MpuycO+nTcOutakoPSBOwnKyqihTnCm0NHxhxqmWjs9uk4X1TlWxPcEo5D9hyS
IsXhpD7u7+4PLY0jT8fpe+qCMt/0YtjgPVj3UminHVe5VFB2R3MNA2pNuho2WcyO
qnZp0CC9Vt0k6omzg3s95+ZpPKn94nRBLDiHk00wW3dKfqoRjI5Qy4g9EBmXfbPs
0iar9JK1fEsLtb6ZVE26XB8lGoKNYjwtZwuXGRvAnxNMg3+bNPwU1LWgr1sScwOB
8Hj5iOD09WDmTf4RDQ7+PVz2PT15k+Kas++UzLHbHsXC9vAjy6rFbqTdHbZUTvQ6
Bp82XBXGOAaumSs/PJg19fDA55prOJGzyHlQyJHO6pvDJdAXelIAAhuC7vMll2rM
Vk+eTIIGuqfK7lY02Qz1rNNClZkeZMl/xZdo5K5/qfgqhdZNO5p+C1ut/CJOTBpY
b/bxPHwCGY8vpOqe7BayA110UzA8oBy2N9+HOoRFUIN4Hyqa32dWvwFews+D877S
nOEX3hg1FwRy0fWhaZgg1Ws6DM58H2MbA4Q5f/QmDwY5UuzgE+Y=
=jz3A
-----END PGP SIGNATURE-----