-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2026 22:44:24 +0200 Source: libxml2.9 Architecture: source Version: 2.12.7+dfsg+really2.9.14-2.4 Distribution: unstable Urgency: medium Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 1125691 1125695 1125696 Changes: libxml2.9 (2.12.7+dfsg+really2.9.14-2.4) unstable; urgency=medium . * Non-maintainer upload. * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause excessive recursion during parsing, which may lead to stack exhaustion and application crashes. The parser now enforces a limit on inclusion depth when resolving nested `<include>` directives; the limit defaults to 1000 and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`. (Closes: #1125691) * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. (Closes: #1125695) * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled resource consumption when processing XML catalogs containing repeated `<nextCatalog>` elements pointing to the same downstream catalog. (Closes: #1125696) * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow. * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the xmllint interactive shell. * Fix unit tests for CVE-2025-49794 and -49796. * Backport some more upstream changes from v2.15.2: + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`. + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`. + Fix memory leak in `xmlTextWriterStartAttributeNS()`. + Schematron: Fix additional memory leaks on error paths. + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries. Checksums-Sha1: c5de55e0766c3fb718b090a2659e510ddc3b6652 2970 libxml2.9_2.12.7+dfsg+really2.9.14-2.4.dsc b425065b720294772f54b60b903a023beeb9061e 58180 libxml2.9_2.12.7+dfsg+really2.9.14-2.4.debian.tar.xz 15861829851d093b0448d4654b01ae94dbb2b753 5879 libxml2.9_2.12.7+dfsg+really2.9.14-2.4_source.buildinfo Checksums-Sha256: c3fb271117808ed486348b559d066dfd37fdc94242a4e7e2ae6608c5e44338fe 2970 libxml2.9_2.12.7+dfsg+really2.9.14-2.4.dsc 2d82023b1459d89416669e6926af0b6914d3ea948da06d0545a76f14db8eb9b5 58180 libxml2.9_2.12.7+dfsg+really2.9.14-2.4.debian.tar.xz f2163a7fedd052062e0121d7c86bd41c3af58ef6c9e2b0889a38456d5adccc82 5879 libxml2.9_2.12.7+dfsg+really2.9.14-2.4_source.buildinfo Files: ce5eeb80c73e125fecf8a2f17454ddeb 2970 libs optional libxml2.9_2.12.7+dfsg+really2.9.14-2.4.dsc 81bdbc2463f75e8552f669749f6387b7 58180 libs optional libxml2.9_2.12.7+dfsg+really2.9.14-2.4.debian.tar.xz e86a25d0e81973f7708e038190bd8b98 5879 libs optional libxml2.9_2.12.7+dfsg+really2.9.14-2.4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmol4H0ACgkQ05pJnDwh pVIkwA//QqMAR8lWQOeB6mb5rV/sjEcFb7wtXXyItM1kLE6BvcQTUe60Imnh4cBv BtlMsu8MWy7lALXxwS09f0JXVU2yvl0hbu0FbVlDCMNnNISAXapzhFf+r8SPfxTV KX9lzPLU3KnL99sGD69RlFIdwflJeE6qdfOFTPTrY1p1rm9neI2hESAR+04mAJS4 aOOlUD2OllEGC/JLTucNK49E8k1hPR2tFfVxHv+tygfqsgu58LtIxSSdNQ7kpOVY zHPLbPcj3rxiYWnC+uWVqyPsiNeTa7f9zCGAjCyh+aQFSP3WS5kWlDXxP/Z++mI9 ymcxlVIiAMgBZR3OmAPQnzephJ5CgG1rU2CUVw2DnG/OLqjUemGYy1N58Dj1Pyd0 uKG5jFr42qnL/xfaox5WuExpuIAGqXNfPJ2zxUz7RlCry2vgnraz1f+yMRIBvifV mZarZY621X2fIXCJhlE/VNvlEwGW8NulpBQJoFsuErvkkOa5sV2Uf0Mvh/jrbC4Z N9j27CThLoye2ZzKro4/Nlo6TD5Sp/K+mJld4t4XxgaSqsH7BdmgheBF9w/omisO aofilV8wlEJDRf7pjNN+ynBzNwPGoCGP/HtHIbMcWCPLfWC4EVnoM4kOBDZQoBBe qSC7ozQMwQShgbAyMnE2bYs1DLaWsGeNn7bansDqZEuZ04AREVk= =uaCL -----END PGP SIGNATURE-----
