[xml/sgml-pkgs] libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_source.changes ACCEPTED into proposed-updates->stable-new

Debian FTP Masters ftpmaster at ftp-master.debian.org
Mon Jun 8 22:13:42 BST 2026 

Thank you for your contribution to Debian.

Mapping trixie to stable.
Mapping stable to proposed-updates.

Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 Jun 2026 19:02:23 +0200
Source: libxml2
Architecture: source
Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u3
Distribution: trixie
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs at lists.alioth.debian.org>
Changed-By: Guilhem Moulin <guilhem at debian.org>
Closes: 1125691 1125695 1125696
Changes:
 libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u3) trixie; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause
     excessive recursion during parsing, which may lead to stack exhaustion and
     application crashes. The parser now enforces a limit on inclusion depth
     when resolving nested `<include>` directives; the limit defaults to 1000
     and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`.
     (Closes: #1125691)
   * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if
     a catalog has a URI delegate referencing itself, eventually resulting in a
     call stack overflow. (Closes: #1125695)
   * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled
     resource consumption when processing XML catalogs containing repeated
     `<nextCatalog>` elements pointing to the same downstream catalog.
     (Closes: #1125696)
   * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive
     pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()`
     recursively call each other without bounds until stack overflow.
   * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the
     xmllint interactive shell.
   * Fix unit tests for CVE-2025-49794 and -49796.
   * Backport some more upstream changes from v2.15.2:
     + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`.
     + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`.
     + Fix memory leak in `xmlTextWriterStartAttributeNS()`.
     + Schematron: Fix additional memory leaks on error paths.
     + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries.
   * Add d/salsa-ci.yml for Salsa CI.
Checksums-Sha1:
 37c391a7c000ea7515c9745db1a2b286186f8f50 3085 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3.dsc
 1d87d64579a19726bc00c1dd2d25dc85384d9586 58040 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3.debian.tar.xz
 35d70dad3bd7bd4e70f1dfee0da4a5e44aed95d5 5903 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_source.buildinfo
Checksums-Sha256:
 04b1da890535b11e3db231f39114ee09e643badceff79441d749d0ca78efaaa5 3085 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3.dsc
 3b6d265f482d6a8fbe3c056d2006fb3b563b4a838f7258b388ac5f0b29206921 58040 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3.debian.tar.xz
 32eb6af03f33f4e3d0e1dcaa9785c2888d8b9aeb1b86595d0a15aad8c56cb29a 5903 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_source.buildinfo
Files:
 01a3bb806e33a46f5e266385660bc1a5 3085 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3.dsc
 252478c7b538ca7c167d96b746442ff2 58040 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3.debian.tar.xz
 6492712f2008fd74c2dd64b8040aefaa 5903 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmonHhMACgkQ05pJnDwh
pVJxjRAAr2A5PbOD/gDGdzjhSGeoMxi5yL872noUN8g4yLA1lUDxw/gDrZAYFGw0
l36duRjeE9y6JAIWhS/S76o0T6nmFk/5rV17WCqqe45tNLfYZyOf4vW9tU6ZYOrj
DgKmko3uElX9wiUMdawMnWdlMcplVoVz0FspUOPhXMpvtFR5f0IebJHQml8X7i69
ntSr1zeNYJvAeB0wfGdyvDKjpPoi6AwTgkkPWdXedJEpEe4wOFWj2T/TQ5acZ3dG
BTvk37x9ZDa6N06yzAkM+K3Y4xBUw7wnMhfzbjh/Tdzcszjhf08mAdkaBU3hG5QP
NRvhPb/8Z2glsFXmw46dX5rS6CqED1IBZGL4c1i24Xf9knqFCfNgifHRBL6yYkHr
2JTJywNwcbHnQGe/bgyTHrxqw6PA8C3d9j/zHDKyDV7cVFMLcWR9lH4L7OKWpmNg
6vXhl/XrJRGo0eBz1/pVPXrVZqrmzcyq3Xc0FV8uZSzbt+gdqoXdWNA1+w9lAYsD
PidWlVaD/rERg5hO0XD1QCw7OqrnpsvLo9slekKjRC4X86OUc9lho2/tbsQhooQB
GNx4YvsQegbc5nJVvSenrxxBORgLCs+UQKKEiSKfj6vzixUXXXY821HhCxXGnChO
05+Isspm8JUa5QDfLcOiWP4Uy7fPk8CmaSXfGXSywfIPX0+GArE=
=ZLwV
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-xml-sgml-pkgs/attachments/20260608/b1397c75/attachment.sig>

More information about the debian-xml-sgml-pkgs mailing list