[ubuntu/resolute-proposed] libxml2 2.15.2+dfsg-0.1 (Accepted)

Matthias Klose m1 at klose.in-berlin.de
Fri Mar 27 10:11:35 UTC 2026 

libxml2 (2.15.2+dfsg-0.1) unstable; urgency=high

  * Non-maintainer upload.
  * New upstream bug fix release.
    Security issues:
    - CVE-2026-1757 fix: Memory leak in xmllint Shell - shell.c
    - CVE-2026-0990 fix: Prevent infinite recursion in
      xmlCatalogListXMLResolve. Closes: #1125695.
    - CVE-2026-0992 fix: Exponential behavior when handling
      parser: Fix infinite loop in xmlCtxtParseContent. Closes: #1125696.
    - CVE-2025-10911 libxslt related: Ignore next/prev of documents when
      traversing XPath
    - CVE-2026-0989 fix: Add RelaxNG include limit. Closes: #1125691.
    - xmlIO: use size_t for buffer size reallocation
    - uri: fix signed integer overflow in xmlBuildRelativeURISafe
    - schematron: fix memory leaks on error paths in xmlSchematronParseRule
    - catalog: fix stack overflow from self-referencing SGML CATALOG entries
    Improvements
    - fuzz: Make fuzzy encoding match more lenient
    - Fix C14N type confusion
    - meson: Fix build with Meson < 1.3
    - xmllint: Use zlib directly
    - xmllint: New option to separate xpath results using null, --xpath0
    - autotools: Make valgrind actually check for leaks
    - meson: Add valgrind test setup
    - Fix xmlOutputBufferGetContent output when encoder is set
    - threads: don't force _WIN32_WINNT to Vista if it's set to a higher value
    - dist: Add generated documentation to the dist as "dist-doc" folder
      to simplify downstream packaging of doc
    - Fix xmlRemoveEntity removing from wrong hash table
    - use duplicating variant in relaxng to mitigate UAF
    - Fix memory leak in xmlTextWriterStartAttributeNS on OOM
    - meson: remove hardcoded buildtype=debug default
    - Fix memory leak of prefix in xmlTextWriterStartElementNS()
    - writer: Add a few extra NULL checks to avoid memory leaks on corrupt
      writer path.
  * Update symbols file.
  * Don't include the sources twice in the libxml2-source package.
  * Bump standards version.

Date: 2026-03-25 16:46:38.312535+00:00
Signed-By: Matthias Klose <m1 at klose.in-berlin.de>
https://launchpad.net/ubuntu/+source/libxml2/2.15.2+dfsg-0.1
-------------- next part --------------
Sorry, changesfile not available.

More information about the Resolute-changes mailing list