[xml/sgml-pkgs] libxml2.9_2.12.7+dfsg+really2.9.14-2.4_source.changes ACCEPTED into unstable

Debian FTP Masters ftpmaster at ftp-master.debian.org
Mon Jun 8 08:20:01 BST 2026 

Thank you for your contribution to Debian.



Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 Jun 2026 22:44:24 +0200
Source: libxml2.9
Architecture: source
Version: 2.12.7+dfsg+really2.9.14-2.4
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs at lists.alioth.debian.org>
Changed-By: Guilhem Moulin <guilhem at debian.org>
Closes: 1125691 1125695 1125696
Changes:
 libxml2.9 (2.12.7+dfsg+really2.9.14-2.4) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause
     excessive recursion during parsing, which may lead to stack exhaustion and
     application crashes. The parser now enforces a limit on inclusion depth
     when resolving nested `<include>` directives; the limit defaults to 1000
     and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`.
     (Closes: #1125691)
   * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if
     a catalog has a URI delegate referencing itself, eventually resulting in a
     call stack overflow. (Closes: #1125695)
   * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled
     resource consumption when processing XML catalogs containing repeated
     `<nextCatalog>` elements pointing to the same downstream catalog.
     (Closes: #1125696)
   * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive
     pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()`
     recursively call each other without bounds until stack overflow.
   * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the
     xmllint interactive shell.
   * Fix unit tests for CVE-2025-49794 and -49796.
   * Backport some more upstream changes from v2.15.2:
     + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`.
     + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`.
     + Fix memory leak in `xmlTextWriterStartAttributeNS()`.
     + Schematron: Fix additional memory leaks on error paths.
     + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries.
Checksums-Sha1:
 c5de55e0766c3fb718b090a2659e510ddc3b6652 2970 libxml2.9_2.12.7+dfsg+really2.9.14-2.4.dsc
 b425065b720294772f54b60b903a023beeb9061e 58180 libxml2.9_2.12.7+dfsg+really2.9.14-2.4.debian.tar.xz
 15861829851d093b0448d4654b01ae94dbb2b753 5879 libxml2.9_2.12.7+dfsg+really2.9.14-2.4_source.buildinfo
Checksums-Sha256:
 c3fb271117808ed486348b559d066dfd37fdc94242a4e7e2ae6608c5e44338fe 2970 libxml2.9_2.12.7+dfsg+really2.9.14-2.4.dsc
 2d82023b1459d89416669e6926af0b6914d3ea948da06d0545a76f14db8eb9b5 58180 libxml2.9_2.12.7+dfsg+really2.9.14-2.4.debian.tar.xz
 f2163a7fedd052062e0121d7c86bd41c3af58ef6c9e2b0889a38456d5adccc82 5879 libxml2.9_2.12.7+dfsg+really2.9.14-2.4_source.buildinfo
Files:
 ce5eeb80c73e125fecf8a2f17454ddeb 2970 libs optional libxml2.9_2.12.7+dfsg+really2.9.14-2.4.dsc
 81bdbc2463f75e8552f669749f6387b7 58180 libs optional libxml2.9_2.12.7+dfsg+really2.9.14-2.4.debian.tar.xz
 e86a25d0e81973f7708e038190bd8b98 5879 libs optional libxml2.9_2.12.7+dfsg+really2.9.14-2.4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmol4H0ACgkQ05pJnDwh
pVIkwA//QqMAR8lWQOeB6mb5rV/sjEcFb7wtXXyItM1kLE6BvcQTUe60Imnh4cBv
BtlMsu8MWy7lALXxwS09f0JXVU2yvl0hbu0FbVlDCMNnNISAXapzhFf+r8SPfxTV
KX9lzPLU3KnL99sGD69RlFIdwflJeE6qdfOFTPTrY1p1rm9neI2hESAR+04mAJS4
aOOlUD2OllEGC/JLTucNK49E8k1hPR2tFfVxHv+tygfqsgu58LtIxSSdNQ7kpOVY
zHPLbPcj3rxiYWnC+uWVqyPsiNeTa7f9zCGAjCyh+aQFSP3WS5kWlDXxP/Z++mI9
ymcxlVIiAMgBZR3OmAPQnzephJ5CgG1rU2CUVw2DnG/OLqjUemGYy1N58Dj1Pyd0
uKG5jFr42qnL/xfaox5WuExpuIAGqXNfPJ2zxUz7RlCry2vgnraz1f+yMRIBvifV
mZarZY621X2fIXCJhlE/VNvlEwGW8NulpBQJoFsuErvkkOa5sV2Uf0Mvh/jrbC4Z
N9j27CThLoye2ZzKro4/Nlo6TD5Sp/K+mJld4t4XxgaSqsH7BdmgheBF9w/omisO
aofilV8wlEJDRf7pjNN+ynBzNwPGoCGP/HtHIbMcWCPLfWC4EVnoM4kOBDZQoBBe
qSC7ozQMwQShgbAyMnE2bYs1DLaWsGeNn7bansDqZEuZ04AREVk=
=uaCL
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-xml-sgml-pkgs/attachments/20260608/4cba7a45/attachment.sig>

More information about the debian-xml-sgml-pkgs mailing list