-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 Jun 2026 17:53:53 +0200
Source: libxml2
Binary: libxml2 libxml2-dbgsym libxml2-dev libxml2-utils libxml2-utils-dbgsym python3-libxml2 python3-libxml2-dbgsym
Architecture: mips64el
Version: 2.9.14+dfsg-1.3~deb12u6
Distribution: bookworm
Urgency: high
Maintainer: mipsel Build Daemon (mipsel-osuosl-03) <buildd_mips64el-mipsel-osuosl-03@buildd.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 libxml2    - GNOME XML library
 libxml2-dev - GNOME XML library - development files
 libxml2-utils - GNOME XML library - utilities
 python3-libxml2 - GNOME XML library - Python3 bindings
Closes: 1125691 1125695 1125696
Changes:
 libxml2 (2.9.14+dfsg-1.3~deb12u6) bookworm; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause
     excessive recursion during parsing, which may lead to stack exhaustion and
     application crashes. The parser now enforces a limit on inclusion depth
     when resolving nested `<include>` directives; the limit defaults to 1000
     and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`.
     (Closes: #1125691)
   * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if
     a catalog has a URI delegate referencing itself, eventually resulting in a
     call stack overflow. (Closes: #1125695)
   * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled
     resource consumption when processing XML catalogs containing repeated
     `<nextCatalog>` elements pointing to the same downstream catalog.
     (Closes: #1125696)
   * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive
     pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()`
     recursively call each other without bounds until stack overflow.
   * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the
     xmllint interactive shell.
   * Fix unit tests for CVE-2025-49794 and -49796.
   * Backport some more upstream changes from v2.15.2:
     + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`.
     + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`.
     + Fix memory leak in `xmlTextWriterStartAttributeNS()`.
     + Schematron: Fix additional memory leaks on error paths.
     + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries.
Checksums-Sha1:
 2d28958eea37c109ea56a42558994c8089ff73a4 1991164 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 2a4e682aa29b7a2cd63518e664d2e33312c2ddc2 811172 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 64956b82103cefb498b861044039e7506cc60eec 81160 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 232ba7ee8ad880db5fad22d7cb25802d19ed6551 97632 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 dc474f84a8db7b467ca3207433d501a4fab1cc61 9059 libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el-buildd.buildinfo
 1e78e2712e62dab03bc1e207b3e667fb729b8e18 603164 libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 fb74075ab36bd204b7ea80a16c4c80065b7ba27c 260332 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 e79ac323319e78c5e1c2a1eeb815ab234ddb6aec 174696 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
Checksums-Sha256:
 956da62b2d73dad55795049d1973ae57cfc8605a2769c7e11289285023aeaf67 1991164 libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 9988811e23f96e814addc48f4276c754ce307e19ec69f3c2618ce2c0af74c8e3 811172 libxml2-dev_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 b00e9b071ac6e8387c8370149b9b7e1bfcc1a789c4f859ba8cd95a23646cb7f4 81160 libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 17c817d57c7640c36bb748b985643af4b080b27027c42eedcc3528e103a15c32 97632 libxml2-utils_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 0066d5998631fd99858f894209578059a45e9e03c7a24d2f87675c01016cc663 9059 libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el-buildd.buildinfo
 bc13aa78958daa667ffbabde1cc7c8b6d2225a2edc6efe968c9d661302653804 603164 libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 65e1bec7ee382de265c0a01ba0b0a4bc77594e4bb21d2d365a68b4a616d8d0f7 260332 python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 83641ce3c28a92dfe756fa6cc3517fc99e5671409d808b011ca51a691417123b 174696 python3-libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
Files:
 4901ca8990d5a3325741aa9289bf7a32 1991164 debug optional libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 8d65ecb0feb1c8e0e9d8f7e2e936c0c6 811172 libdevel optional libxml2-dev_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 05b34385854040411cc15f8c2c6e0179 81160 debug optional libxml2-utils-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 1eb8efba238430d84ef0cb55dcaca3f6 97632 text optional libxml2-utils_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 a0285fdd9844dc485d9dbae2a5be83fd 9059 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el-buildd.buildinfo
 d737802137c872ebd57d06fa338b4272 603164 libs optional libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 146e54698496844a3cb763daa5090062 260332 debug optional python3-libxml2-dbgsym_2.9.14+dfsg-1.3~deb12u6_mips64el.deb
 b2bafef261577e6572c01e64ed33e084 174696 python optional python3-libxml2_2.9.14+dfsg-1.3~deb12u6_mips64el.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7sd7jtCtE5bBJ1Hx/qmHKZssfSAFAmooah8ACgkQ/qmHKZss
fSAXABAA8bdDWlhoGqxmoOb1GXz2W8YgwUbWrUNLPFSaDkrv2MaN8Q1hiNqRyM7u
KymJ2ME/Hq5LingUJPQyIxw2lBgj3rLJoCwl1YUneyYf4Hm7lBsnf0qXKFWnlhNF
B0/QlfCj4mZ13LfNuQHFmK2z0IOpLamEASQRIe5+KF3tStUZVRBg6Wk/qg0q153w
yRhG432hRrj3aAenFy13VjzKsMNO+Z1rIjYiOvpf7mJiA++/mPZGBYq0W8Gl+7ZC
548w1PiF9trhL3h+SFRYC5OQAeY4PaxLzWqLc82l4CLxwqZVE7mJ8pN7j0cktb+q
W6H7YMcYUdizS7DXEE4JuBuKA4JoVF9wtzBrCXjYzqkl5jVIrcq+2SJ4uZ5V8Bbz
/4AqvPJkeeeZnRohWSMBFw0n8endveJpg4C+rgsb6+ohWBbN/S9DpS9YdJeovXvA
1yUzevvSQSSlzJQAfLbN/bTCQEBXqVd9reuc49g5nMh72o1i75fM1ZGBOms0cA9C
OKmdEdw6ELmJqB8gTV0ZZFqRIFPdz9uOEa7pk0HHzTj1vB/xMT+GFoZKuqzAC62L
MXuOpqHy5rHDFK0dZegvVCOF4lq3e4YLIq9RD920ty9B6FcAcX0kjwQ9MM4bb9VQ
i++hMAytFt22MFjdGxMobpT+5WO4qAot9+sErN6PtF9uP0ZuPqo=
=ulPQ
-----END PGP SIGNATURE-----
