Format: 1.8
Date: Sun, 07 Jun 2026 22:44:24 +0200
Source: libxml2.9
Architecture: source
Version: 2.12.7+dfsg+really2.9.14-2.4
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1125691 1125695 1125696
Changes:
 libxml2.9 (2.12.7+dfsg+really2.9.14-2.4) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix CVE-2026-0989: Specially crafted or overly complex schemas can cause
     excessive recursion during parsing, which may lead to stack exhaustion and
     application crashes. The parser now enforces a limit on inclusion depth
     when resolving nested `<include>` directives; the limit defaults to 1000
     and can be modified at runtime with the env variable `RNG_INCLUDE_LIMIT`.
     (Closes: #1125691)
   * Fix CVE-2026-0990: `xmlCatalogXMLResolveURI()` will recurse infinitely if
     a catalog has a URI delegate referencing itself, eventually resulting in a
     call stack overflow. (Closes: #1125695)
   * Fix CVE-2026-0992: Denial of Service vulnerability due to uncontrolled
     resource consumption when processing XML catalogs containing repeated
     `<nextCatalog>` elements pointing to the same downstream catalog.
     (Closes: #1125696)
   * Fix CVE-2025-8732: When a catalog file contains a CATALOG directive
     pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()`
     recursively call each other without bounds until stack overflow.
   * Fix CVE-2026-1757: Memory leak issue in the command parsing logic of the
     xmllint interactive shell.
   * Fix unit tests for CVE-2025-49794 and -49796.
   * Backport some more upstream changes from v2.15.2:
     + Fix memory leak of prefix in `xmlTextWriterStartElementNS()`.
     + Mitigate use-after-free issue in `xmlRelaxNGValidateValue()`.
     + Fix memory leak in `xmlTextWriterStartAttributeNS()`.
     + Schematron: Fix additional memory leaks on error paths.
     + Catalog: Fix stack overflow from self-referencing SGML CATALOG entries.
Checksums-Sha1:
 c5de55e0766c3fb718b090a2659e510ddc3b6652 2970 libxml2.9_2.12.7+dfsg+really2.9.14-2.4.dsc
 b425065b720294772f54b60b903a023beeb9061e 58180 libxml2.9_2.12.7+dfsg+really2.9.14-2.4.debian.tar.xz
 15861829851d093b0448d4654b01ae94dbb2b753 5879 libxml2.9_2.12.7+dfsg+really2.9.14-2.4_source.buildinfo
Checksums-Sha256:
 c3fb271117808ed486348b559d066dfd37fdc94242a4e7e2ae6608c5e44338fe 2970 libxml2.9_2.12.7+dfsg+really2.9.14-2.4.dsc
 2d82023b1459d89416669e6926af0b6914d3ea948da06d0545a76f14db8eb9b5 58180 libxml2.9_2.12.7+dfsg+really2.9.14-2.4.debian.tar.xz
 f2163a7fedd052062e0121d7c86bd41c3af58ef6c9e2b0889a38456d5adccc82 5879 libxml2.9_2.12.7+dfsg+really2.9.14-2.4_source.buildinfo
Files:
 ce5eeb80c73e125fecf8a2f17454ddeb 2970 libs optional libxml2.9_2.12.7+dfsg+really2.9.14-2.4.dsc
 81bdbc2463f75e8552f669749f6387b7 58180 libs optional libxml2.9_2.12.7+dfsg+really2.9.14-2.4.debian.tar.xz
 e86a25d0e81973f7708e038190bd8b98 5879 libs optional libxml2.9_2.12.7+dfsg+really2.9.14-2.4_source.buildinfo
Location: DEFERRED
Delayed-Until: 2026-06-12 21:25:10
Delay-Remaining: 4 days 19:28
Fingerprint: 469CBAA776FDB1FCD475B304D39A499C3C21A552