[ubuntu/resolute-proposed] libxml2 2.15.1+dfsg-2ubuntu1 (Accepted)
Hlib Korzhynskyy
hlib.korzhynskyy at canonical.com
Thu Jan 22 14:40:19 UTC 2026
libxml2 (2.15.1+dfsg-2ubuntu1) resolute; urgency=medium
* SECURITY UPDATE: Infinite recursion with SGML catalogs.
- debian/patches/CVE-2025-8732.patch: Add catalog depth and checks in
catalog.c. Add test files in result/catalogs/recursive and
test/catalogs/recursive.sgml.
- CVE-2025-8732
* SECURITY UPDATE: Infinite recursion when resolving include directives in
RelaxNG parser.
- debian/patches/CVE-2026-0989.patch: Add xmlRelaxParserSetIncLImit in
include/libxml/relaxng.h. Add include limit and checks in relaxng.c. Add
test and test files in runtest.c,
test/relaxng/include/include-limit.rng,
test/relaxng/include/include-limit_1.rng,
test/relaxng/include/include-limit_2.rng, and
test/relaxng/include/include-limit_3.rng.
- debian/libxml2-16.symbols: Add new xmlRelaxParserSetIncLImit symbol.
- CVE-2026-0989
* SECURITY UPDATE: Infinite recursion in URI dereferencing.
- debian/patches/CVE-2026-0990.patch: Add MAX_CATAL_DEPTH and other checks
in catalog.c.
- CVE-2026-0990
* SECURITY UPDATE: Uncontrolled resource consumption in catalogs.
- debian/patches/CVE-2026-0992.patch: Add catalog duplication checks in
catalog.c.
- CVE-2026-0992
Date: Thu, 22 Jan 2026 10:26:27 -0330
Changed-By: Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/libxml2/2.15.1+dfsg-2ubuntu1
-------------- next part --------------
Format: 1.8
Date: Thu, 22 Jan 2026 10:26:27 -0330
Source: libxml2
Built-For-Profiles: noudeb
Architecture: source
Version: 2.15.1+dfsg-2ubuntu1
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com>
Changes:
libxml2 (2.15.1+dfsg-2ubuntu1) resolute; urgency=medium
.
* SECURITY UPDATE: Infinite recursion with SGML catalogs.
- debian/patches/CVE-2025-8732.patch: Add catalog depth and checks in
catalog.c. Add test files in result/catalogs/recursive and
test/catalogs/recursive.sgml.
- CVE-2025-8732
* SECURITY UPDATE: Infinite recursion when resolving include directives in
RelaxNG parser.
- debian/patches/CVE-2026-0989.patch: Add xmlRelaxParserSetIncLImit in
include/libxml/relaxng.h. Add include limit and checks in relaxng.c. Add
test and test files in runtest.c,
test/relaxng/include/include-limit.rng,
test/relaxng/include/include-limit_1.rng,
test/relaxng/include/include-limit_2.rng, and
test/relaxng/include/include-limit_3.rng.
- debian/libxml2-16.symbols: Add new xmlRelaxParserSetIncLImit symbol.
- CVE-2026-0989
* SECURITY UPDATE: Infinite recursion in URI dereferencing.
- debian/patches/CVE-2026-0990.patch: Add MAX_CATAL_DEPTH and other checks
in catalog.c.
- CVE-2026-0990
* SECURITY UPDATE: Uncontrolled resource consumption in catalogs.
- debian/patches/CVE-2026-0992.patch: Add catalog duplication checks in
catalog.c.
- CVE-2026-0992
Checksums-Sha1:
7b48a60d547331fc81c252fbe98a4ee64bd8d97b 3190 libxml2_2.15.1+dfsg-2ubuntu1.dsc
a4734da9b7edd3b50e1f8e7997217a533d25eb2d 39376 libxml2_2.15.1+dfsg-2ubuntu1.debian.tar.xz
69f002934dbf8ccffc62aae4729f4ff1e5f5e8bd 6194 libxml2_2.15.1+dfsg-2ubuntu1_source.buildinfo
Checksums-Sha256:
24d4005b0b39abd0001276f54b9c25f9029d84ca9bc1c0fe69c084e03d9c5550 3190 libxml2_2.15.1+dfsg-2ubuntu1.dsc
bf1de7c3deef6a443d67432ddf9e76ddf9ca1ccd85d7554732fcdff80515411b 39376 libxml2_2.15.1+dfsg-2ubuntu1.debian.tar.xz
7406f9fb586b36a0a390a2f0f828050ab4a8eac097d44ff4f45966ee72244217 6194 libxml2_2.15.1+dfsg-2ubuntu1_source.buildinfo
Files:
d29a7b6f84588f1f91261e9e538b0287 3190 libs optional libxml2_2.15.1+dfsg-2ubuntu1.dsc
17f3d6c5ebf9008497071ca71eac2659 39376 libs optional libxml2_2.15.1+dfsg-2ubuntu1.debian.tar.xz
e4c9172379502aa5c7575f58bdfb7084 6194 libs optional libxml2_2.15.1+dfsg-2ubuntu1_source.buildinfo
Original-Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs at lists.alioth.debian.org>
More information about the Resolute-changes
mailing list