-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 Jun 2026 17:53:53 +0200
Source: libxml2
Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym
Architecture: armel
Version: 2.9.14+dfsg-1.3~deb12u6
Distribution: bookworm
Urgency: high
Maintainer: armel Build Daemon (arm-conova-02) <buildd_arm64-arm-conova-02@buildd.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 libxml2    - GNOME XML library
 libxml2-dev - GNOME XML library - development files
 libxml2-utils - GNOME XML library - utilities
 python3-libxml2 - GNOME XML library - Python3 bindings
Closes: 1125691 1125695 1125696
Changes:
 libxml2 (2.9.14+dfsg-1.3~deb12u6) bookworm; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause
     excessive recursion during parsing, which may lead to stack exhaustion and
     application crashes. The parser now enforces a limit on inclusion depth
     when resolving nested `<include>` directives; the limit defaults to 1000
     and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`.
     (Closes: #1125691)
   * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if
     a catalog has a URI delegate referencing itself, eventually resulting in a
     call stack overflow. (Closes: #1125695)
   * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled
     resource consumption when processing XML catalogs containing repeated
     `<nextCatalog>` elements pointing to the same downstream catalog.
     (Closes: #1125696)
   * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive
     pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()`
     recursively call each other without bounds until stack overflow.
   * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the
     xmllint interactive shell.
   * Fix unit tests for CVE-2025-49794 and -49796.
   * Backport some more upstream changes from v2.15.2:
     + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`.
     + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`.
     + Fix memory leak in `xmlTextWriterStartAttributeNS()`.
     + Schematron: Fix additional memory leaks on error paths.
     + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries.
Checksums-Sha1:
 60a1eaeea9078aaf853f99a0b04f0f36528e386d 1821948 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_armel.deb
 c7a491861a0e0568ea075f2a17df517549433e5f 689336 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_armel.deb
 4f197f7dbeeed95b448caf8448ed138ba76f3dc0 76808 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_armel.deb
 e8d007bee7c3492de6d98fab8cae4e9bbf5a8ed0 98392 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_armel.deb
 4cbc667318a4ad989bc4848b2a03f619643e7f90 9067 libxml2_2.9.14+dfsg-1.3~deb12u6_armel-buildd.buildinfo
 27ce3d1fe0b3e6e656b6ea477754d3e15a01fa11 573516 libxml2_2.9.14+dfsg-1.3~deb12u6_armel.deb
 9ec0343ea9b6d2ce560b3d9beffc1b5b9c17371f 248828 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_armel.deb
 69ce6673a103b5f8ab89ad82bce793aa668707f5 178712 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_armel.deb
Checksums-Sha256:
 27053b31717cc5a67f59c0a56ace3fa5750e611af4352408975bda09cf6b55f0 1821948 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_armel.deb
 11840e13b86ed9df6b67ffe869295869585450dd50cbbb6b26d8ebc190d44531 689336 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_armel.deb
 913fea42ee1cb9be2f6c5264dfc3c2b2249f08475149a214699431839b7d6e0a 76808 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_armel.deb
 60f9dccc505be3bc6e04681b9abfd607df3b22f9238ffbae666d07a4e727bf72 98392 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_armel.deb
 1b2f726cfe760bdcd77a5c2081d7a7f35480e187f48305d3f1c6d2c6f473597b 9067 libxml2_2.9.14+dfsg-1.3~deb12u6_armel-buildd.buildinfo
 cfd29273cf99e4578c5f490c9975f9be7c1b264700acfb9ef678e57dc5ab9c9a 573516 libxml2_2.9.14+dfsg-1.3~deb12u6_armel.deb
 c9a2f101bf3b0ad52a66468dcdc68f3c0fdc85abd66f2eceeec5e4ae477c48cf 248828 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_armel.deb
 64e9e5d3aff716fe027bb4dda19c63ef95398f0a52e244629ce9fc214c78a367 178712 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_armel.deb
Files:
 8d6f461003ed8b12a8caef4d3bddb694 1821948 debug optional libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_armel.deb
 96f5887e2ae530056a96dbdcf04a95c8 689336 libdevel optional libxml2-dev_2.9.14+dfsg-1.3~deb12u6_armel.deb
 87903acb7902c9e5b6c074870dadccba 76808 debug optional libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_armel.deb
 144cffc7c61eed7bb10ff46befe85ab0 98392 text optional libxml2-utils_2.9.14+dfsg-1.3~deb12u6_armel.deb
 da5c0d3ba679d6b4ff00107ddad029fd 9067 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_armel-buildd.buildinfo
 90fcfa79f73027122a1dfaee28ffb6ba 573516 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_armel.deb
 1d00fe30e577c92ce6cdbf9374b42cb3 248828 debug optional python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_armel.deb
 1534e83d4931f3423f0147c1140d8d8b 178712 python optional python3-libxml2_2.9.14+dfsg-1.3~deb12u6_armel.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWHj9K9pO9l4btbD1OQKMdMnEH5MFAmooaa4ACgkQOQKMdMnE
H5PqOhAAk6ATY9XR/1r6CHmWBcZ3HPhujIAzuuv4QyhQFO+imIZcIBMSeSiS3wEU
3iXu+7+ZAeU1qveQofC4vqWpHGaXTtzZWx4uHTJsn7KCI2MfSpdG+gVhAlLzyIWQ
3Ouabh7y+eM0ln/AioTyR0FfURpveCBVKhtsANNz23zh15UsJklxSfIv7GXKFRHJ
TECvRiuzm1rYCJgBKG4iEvLhDN3YMPJMmu3bjn+G/X072o6qDB621IhOpE48kbrt
XV7kftqS0G/juJocXke9kzx2y7GgbaH5iKoiPquiyOtsxpHVCeCloCS+9DAo6bMm
JgVE7s/lboUpjy1oydsRdD6OCQo9+ORbZL4mSvg3mA3WioseoezvtHgdssOxf1ih
W4wNQwS/iGtDq6ftS9VkMuZFLC3Pzvmt5/5XhZGYfdwSyDpW/fKwiRCS3PNbywnB
nkQDNlg584/RMpKprJcSHgnNjt5NiKeJAiAHlg39GDDtlzPyIn1JKX4cAEIONXwb
6VpPqcWJLWuolRwJJcoDQmPd8h4fYpkcGQJ2Ae+VsBUTevWZESqXWmUV7vXpffEM
hGJNBRHhjRzxO1SIfyF8WTEej6qQ76bLoTZbmpLkDfno+FEu9zHmIjr5eqs2abDu
Z9vwiWwdkWpW0PPZBEIzE5EUM410AheFSSV9kY/Tg70HUswuJlQ=
=X+bf
-----END PGP SIGNATURE-----