-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 Jun 2026 19:02:23 +0200
Source: libxml2
Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym
Architecture: arm64
Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u3
Distribution: trixie
Urgency: high
Maintainer: arm64 Build Daemon (arm-ubc-01) <buildd_arm64-arm-ubc-01@buildd.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 libxml2    - GNOME XML library
 libxml2-dev - GNOME XML library - development files
 libxml2-utils - GNOME XML library - utilities
 python3-libxml2 - GNOME XML library - Python3 bindings
Closes: 1125691 1125695 1125696
Changes:
 libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u3) trixie; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause
     excessive recursion during parsing, which may lead to stack exhaustion and
     application crashes. The parser now enforces a limit on inclusion depth
     when resolving nested `<include>` directives; the limit defaults to 1000
     and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`.
     (Closes: #1125691)
   * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if
     a catalog has a URI delegate referencing itself, eventually resulting in a
     call stack overflow. (Closes: #1125695)
   * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled
     resource consumption when processing XML catalogs containing repeated
     `<nextCatalog>` elements pointing to the same downstream catalog.
     (Closes: #1125696)
   * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive
     pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()`
     recursively call each other without bounds until stack overflow.
   * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the
     xmllint interactive shell.
   * Fix unit tests for CVE-2025-49794 and -49796.
   * Backport some more upstream changes from v2.15.2:
     + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`.
     + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`.
     + Fix memory leak in `xmlTextWriterStartAttributeNS()`.
     + Schematron: Fix additional memory leaks on error paths.
     + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries.
   * Add d/salsa-ci.yml for Salsa CI.
Checksums-Sha1:
 b469d6920136de155ee123afb5af53d8a5d779fe 1897928 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 ae76b0ab3b03c6bc163e6dab4381c324c132c06f 753452 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 b659948248949829118db4f21d86555dd2cc650f 80616 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 039ed2480f093c28b035d6d13fe4548da0284e21 99508 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 5118cee3596aa7ce39ff6af214a91643a7324f75 9333 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64-buildd.buildinfo
 2134e5dafdd15479196fd07e3362c3d3424832da 631428 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 98589b5a4e98456435af6bb827fcea78d052f669 247504 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 0a64c98f7c98eaf5dfdb3a7bbde37a7664962a2b 186932 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
Checksums-Sha256:
 52a2f9d187ccaca4753dbfe16cca5539bbc4aa91f80b23506f4eb1eef15de5cf 1897928 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 f8113dcd311bcef8f98264971c39e66ca93db60ed0a38730bd86911d54d06129 753452 libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 1552cfcdf62b88808bc900acc1756cc1bbb826ff6c064301183a4ad178692f97 80616 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 8fe018b0270315582f1fbb40cea2df2972ff77bc8faac516d71b92280622c97f 99508 libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 c985594a94454615cd7d8102e5869c6e2c67527db3114086167fe130c61f0663 9333 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64-buildd.buildinfo
 a66b9c960acef8ed9653223cbd00b155a92ebb758ea13a788c41609246c23bc7 631428 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 afe15d61c91038b4ea4ca96815af27938285c5ffea6162b74a89e9c330c7b9d1 247504 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 6f93f438927402884a9cdd2cc1bc1d257c2f979deb2ffeb2ee09e2e9baa84450 186932 python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
Files:
 99d059667f3c968f5a8b4569f18e6124 1897928 debug optional libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 bb61961673186cf7493af9bbc9b3d88b 753452 libdevel optional libxml2-dev_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 ceb181eaa5d5b27740008e123f4d3eeb 80616 debug optional libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 14777b9b4a40cec40053a2a3a714b9bf 99508 text optional libxml2-utils_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 4643e405036213df8e39a1e6dcc063b7 9333 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64-buildd.buildinfo
 a9e8d99406f5d5185074c9cb4523cec9 631428 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 f1159f50eb1a27641f638ac08435347b 247504 debug optional python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb
 4887e147fd65c290d45773cb0904e362 186932 python optional python3-libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_arm64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0Ha//LlsGOpbQ/H4xqCFmsOWgoYFAmooYtAACgkQxqCFmsOW
goYAxw//bbI4T1XSKREPImuJNGWlvW6zW8mrwhdMAcYgxLmB8g2LDyxBZttzIzMm
QKLolza4EqiIrSF1XbhtjTIKpcFUYmosRd4YdbTbVaNxM22sys3Z+JNzez8kA1ID
pvrjmqv2JXTtKTUE3XszlUm27tnHHg6qqGCe/e0WNHHMw86ha+GGSocU9COfQgbX
gbuDHW6G40xRgn25mIk5KbMe33r0PIWAs53ff3+3jkwZ9GIJVEJRjZ8v/12zo1lL
4bvxK8nJ3+Hog2h/j/gYzb4Js0bEp4r10Q39/yS7Zz5m310IKTdJqbWlm1uPLtKY
X09dJdpkQ+fHkOPYBILOn0cX0CJSyNg639dwm2/fenpEZ37A4DWwozdx0dssG9KE
rMioXWiKPLZV/Fso6CNx7+COrbobFpWpEQwVQBa5R0GZ9sMAi1ysa64Dxr33uk9h
snSsVZs6i+BAoWMhryLrAK2pO0VaN6GXEhve+bjLd2s/FmjiIPnYwqdYzuYkAgHm
7fZo85FmuFutvpHryv/3nLjV70Y0GoF31aid8j4Zw+mTMaF6t2YeKXccrDb6fUYo
URsobva5C659gJgIKn1ErKgMmvRVWbl1DgLGg+Tj5/hRJO5eWw//xxfxQ3gcmvF1
5YcGTXC9piMUdOztC8MIXlWQEZlnwv/mDcKeNNhpMH+aMvNvjiw=
=glHS
-----END PGP SIGNATURE-----
