Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2026-03-24 18:48:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Tue Mar 24 18:48:13 2026 rev:141 rq:1341979 version:2.15.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2026-02-17 16:35:48.118467603 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.8177/libxml2.changes 2026-03-24 18:48:28.933503364 +0100 @@ -1,0 +2,43 @@ +Thu Mar 5 13:36:31 UTC 2026 - Andreas Stieger <[email protected]> + +- Update to 2.15.2: + * parser: Fix attribute normalization and standalone check + * meson: Fix install dir of man pages + * tree: Undeprecate several struct members + * io: Undeprecate xmlOutputBuffer members + * valid: Undeprecate xmlValidGetPotentialChildren +- includes changes from 2.15.1: + * More accessors for xmlParserCtxt were added + * built-in HTTP client removed + * support for LZMA compression removed + * Parser option XML_PARSE_UNZIP is now required to read + compressed data + * HTML serialization and handling of character encodings is more + in line with the HTML5 spec now +- drop patches included upstream or fixed differently: + * libxml2-CVE-2025-10911.patch + * libxml2-CVE-2025-8732.patch + * libxml2-CVE-2026-0989.patch + * libxml2-CVE-2026-0990.patch + * libxml2-CVE-2026-0992.patch + * libxml2-CVE-2026-1757.patch +- drop python bindings patches: + * libxml2-python3-unicode-errors.patch + * libxml2-python3-string-null-check.patch +- no longer build API documentation, requires doxygen +- no longer build python bindings, scheduled for 2.16 removal +- no longer build support for Schematron, same +- no longer build zlib compressed file I/O, considered for removal + +------------------------------------------------------------------- +Fri Feb 27 12:07:15 UTC 2026 - Andreas Stieger <[email protected]> + +- Update to 2.14.6: + * regexp: Avoid integer overflow and OOB array access + * tree: Guard against atype corruption + * valid: Don't add ids when validating entity content + * Fix initGenericErrorDefaultFunc(NULL) + * valid: Undeprecate xmlAdd*Decl +- drop libxml2-CVE-2025-7425.patch, issue is addressed in libxslt + +------------------------------------------------------------------- Old: ---- _multibuild libxml2-2.14.5.tar.xz libxml2-CVE-2025-10911.patch libxml2-CVE-2025-7425.patch libxml2-CVE-2025-8732.patch libxml2-CVE-2026-0989.patch libxml2-CVE-2026-0990.patch libxml2-CVE-2026-0992.patch libxml2-CVE-2026-1757.patch libxml2-python3-string-null-check.patch libxml2-python3-unicode-errors.patch New: ---- libxml2-2.15.2.tar.xz ----------(Old B)---------- Old:- drop patches included upstream or fixed differently: * libxml2-CVE-2025-10911.patch * libxml2-CVE-2025-8732.patch Old: * valid: Undeprecate xmlAdd*Decl - drop libxml2-CVE-2025-7425.patch, issue is addressed in libxslt Old: * libxml2-CVE-2025-10911.patch * libxml2-CVE-2025-8732.patch * libxml2-CVE-2026-0989.patch Old: * libxml2-CVE-2025-8732.patch * libxml2-CVE-2026-0989.patch * libxml2-CVE-2026-0990.patch Old: * libxml2-CVE-2026-0989.patch * libxml2-CVE-2026-0990.patch * libxml2-CVE-2026-0992.patch Old: * libxml2-CVE-2026-0990.patch * libxml2-CVE-2026-0992.patch * libxml2-CVE-2026-1757.patch Old: * libxml2-CVE-2026-0992.patch * libxml2-CVE-2026-1757.patch - drop python bindings patches: Old: * libxml2-python3-unicode-errors.patch * libxml2-python3-string-null-check.patch - no longer build API documentation, requires doxygen Old:- drop python bindings patches: * libxml2-python3-unicode-errors.patch * libxml2-python3-string-null-check.patch ----------(Old E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.2d7kyq/_old 2026-03-24 18:48:29.953544715 +0100 +++ /var/tmp/diff_new_pack.2d7kyq/_new 2026-03-24 18:48:29.953544715 +0100 @@ -2,6 +2,7 @@ # spec file for package libxml2 # # Copyright (c) 2026 SUSE LLC and contributors +# Copyright (c) 2026 Andreas Stieger <[email protected]> # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,74 +17,24 @@ # -%define base_name libxml2 %define libname libxml2-16 -%define flavor @BUILD_FLAVOR@%nil -%if "%{flavor}" == "python" -%define dash - -%define buildpython 1 -%endif - -%{?sle15allpythons} -Name: libxml2%{?dash}%{flavor} -Version: 2.14.5 +Name: libxml2 +Version: 2.15.2 Release: 0 -License: MIT Summary: A Library to Manipulate XML Files +License: MIT URL: https://gitlab.gnome.org/GNOME/libxml2 -Source0: https://download.gnome.org/sources/%{name}/2.14/libxml2-%{version}.tar.xz +Source0: https://download.gnome.org/sources/%{name}/2.15/libxml2-%{version}.tar.xz Source1: baselibs.conf # W3C Conformance tests Source2: https://www.w3.org/XML/Test/xmlts20080827.tar.gz - -### -- Upstream patches range from 0 to 999 -- ### -# PATCH-FIX-UPSTREAM libxml2-python3-unicode-errors.patch bsc#1064286 [email protected] -# remove segfault after doc.freeDoc() -Patch0: libxml2-python3-unicode-errors.patch -# PATCH-FIX-UPSTREAM libxml2-python3-string-null-check.patch bsc#1065270 [email protected] -# https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/15 -Patch1: libxml2-python3-string-null-check.patch -# CVE-2025-7425 [bsc#1246296], Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr -Patch2: libxml2-CVE-2025-7425.patch -# CVE-2025-8732: infinite recursion in catalog parsing functions when processing malformed SGML catalog files (bsc#1247858, bsc#1247850) -# - https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/337 -Patch3: libxml2-CVE-2025-8732.patch -# CVE-2026-0989: call stack exhaustion leading to application crash due to RelaxNG parser not limiting the recursion depth when resolving `<include>` directives (bsc#1256804, bsc#1256805, bsc#1256810) -# - https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374 -Patch4: libxml2-CVE-2026-0989.patch -# CVE-2025-10911: use-after-free with key data stored cross-RVT (bsc#1250553) -# - https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/345 -Patch5: libxml2-CVE-2025-10911.patch -# CVE-2026-1757: memory leak in the `xmllint` interactive shell (bsc#1257593, bsc#1257594, bsc#1257595) -# - https://gitlab.gnome.org/GNOME/libxml2/-/commit/160c8a43ba37dfb07ebe6446fbad9d0973d9279d -# - https://gitlab.gnome.org/GNOME/libxml2/-/issues/1009 -Patch6: libxml2-CVE-2026-1757.patch -# CVE-2026-0990: call stack overflow leading to application crash due to infinite recursion in `xmlCatalogXMLResolveURI` (bsc#1256806, bsc#1256807, bsc#1256811) -# - https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/368 -Patch7: libxml2-CVE-2026-0990.patch -# CVE-2026-0992: excessive resource consumption when processing XML catalogs due to exponential behavior when handling `<nextCatalog>` elements (bsc#1256808, bsc#1256809, bsc#1256812) -# - https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/377 -Patch8: libxml2-CVE-2026-0992.patch -# IMPORTANT NOTE: remove automake, libtool buildrequires (+ autoreconf in prep section) once CVE-2026-0992 patch is not needed anymore -BuildRequires: automake -BuildRequires: libtool -# BuildRequires: fdupes BuildRequires: pkgconfig +%if 0%{?suse_version} >= 1600 +BuildRequires: pkgconfig(history) +BuildRequires: pkgconfig(readline) +%else BuildRequires: readline-devel -BuildRequires: pkgconfig(liblzma) -BuildRequires: pkgconfig(zlib) -%if 0%{?buildpython} -BuildRequires: %{python_module devel} -BuildRequires: %{python_module pip} -BuildRequires: %{python_module setuptools} -BuildRequires: %{python_module wheel} -BuildRequires: %{python_module xml} -BuildRequires: python-rpm-macros -BuildRequires: pkgconfig(libxml-2.0) -# TW: generate subpackages for every python3 flavor -%define python_subpackage_only 1 -%python_subpackages %endif %description @@ -112,23 +63,18 @@ %package tools Summary: Tools using libxml -Provides: %{base_name} = %{version}-%{release} +Provides: %{name} = %{version}-%{release} # Use hardcoded version to avoid unwanted behavior in the future. -Obsoletes: %{base_name} < 2.9.13 +Obsoletes: %{name} < 2.9.13 %description tools This package contains xmllint, a very useful tool proving libxml's power. %package devel Summary: Development files for libxml2, an XML manipulation library -Requires: %{base_name} = %{version} -Requires: %{base_name}-tools = %{version} Requires: %{libname} = %{version} -Requires: glibc-devel -Requires: libxml2 = %{version} -Requires: readline-devel -Requires: xz-devel -Requires: pkgconfig(liblzma) +Requires: %{name} = %{version} +Requires: %{name}-tools = %{version} Requires: pkgconfig(zlib) %description devel @@ -138,98 +84,35 @@ This subpackage contains header files for developing applications that want to make use of libxml. -%package doc -Summary: Documentation for libxml, an XML manipulation library -Requires: %{libname} = %{version} -# some doc was wrongly in a slpp package -Conflicts: libxml2-2 < 2.14 -BuildArch: noarch - -%description doc -The XML C library was initially developed for the GNOME project. It is -now used by many programs to load and save extensible data structures -or manipulate any kind of XML files. - -%package -n python-libxml2 -Summary: Python Bindings for %{name} -Requires: %{libname} = %{version} -Requires: python-extras -Provides: %{base_name}-python = %{version}-%{release} -Provides: python-libxml2-python = %{version}-%{release} -# Use hardcoded version to avoid unwanted behavior in the future. -Obsoletes: %{base_name}-python < 2.9.13 -Obsoletes: python-libxml2-python < 2.9.13 - -%description -n python-libxml2 -This package contains a module that permits -applications written in the Python programming language to use the -interface supplied by the libxml2 library to manipulate XML files. - -This library allows manipulation of XML files. It includes support for -reading, modifying, and writing XML and HTML files. There is DTD -support that includes parsing and validation even with complex DTDs, -either at parse time or later once the document has been modified. - %prep %autosetup -p1 -n libxml2-%{version} -autoreconf -ifv # Required by patch for CVE-2026-0992 -sed -i '1 s|/usr/bin/env python|/usr/bin/python3|' doc/apibuild.py %build -%if ! 0%{?buildpython} # TODO -- Document why are we using the -fno-strict-aliasing extra flag. export CFLAGS="%{optflags} -fno-strict-aliasing" %configure \ --disable-silent-rules \ --disable-static \ --docdir=%{_docdir}/%{base_name} \ - --without-python \ --with-history \ - --enable-ipv6 \ --with-sax1 \ --with-regexps \ --with-threads \ --with-reader \ - --with-ftp \ --with-http \ - --with-legacy + %{nil} -%make_build BASE_DIR="%{_docdir}" DOC_MODULE="%{base_name}" -%else -%configure --with-python=%{__python3} -pushd python -%if 0%{suse_version} > 1500 -export PYTHONPATH="." -%pyproject_wheel -%else -%python_build -%endif -popd -%endif +%make_build BASE_DIR="%{_docdir}" DOC_MODULE="%{name}" %install -%if ! 0%{?buildpython} -%make_install BASE_DIR="%{_docdir}" DOC_MODULE="%{base_name}" +%make_install BASE_DIR="%{_docdir}" DOC_MODULE="%{name}" find %{buildroot} -type f -name "*.la" -delete -print -mkdir -p "%{buildroot}/%{_docdir}/%{base_name}" -cp -a NEWS README.md %{buildroot}%{_docdir}/%{base_name}/ +mkdir -p "%{buildroot}/%{_docdir}/%{name}" ln -s libxml2/libxml %{buildroot}%{_includedir}/libxml # Remove duplicated file Copyright as not found by fdupes -rm -fr %{buildroot}%{_docdir}/%{base_name}/Copyright +rm -fr %{buildroot}%{_docdir}/%{name}/Copyright %fdupes %{buildroot}%{_datadir} -%else -pushd python -%if 0%{suse_version} > 1500 -%pyproject_install -%else -%python_install -%endif -popd -chmod a-x python/tests/*.py -%python_expand %fdupes %{buildroot}%{$python_sitearch} -%endif -%if ! 0%{?buildpython} %check # qemu-arm can't keep up atm, disabling check for arm %ifnarch %{arm} @@ -241,41 +124,21 @@ %ldconfig_scriptlets -n %{libname} %files -n %{libname} -%{_libdir}/lib*.so.* %license Copyright +%{_libdir}/lib*.so.* -# the -n %%base_name tag is necessary so that python_subpackages does not interfere -%files -n %{base_name}-tools +%files tools +%license Copyright %{_bindir}/xmllint %{_bindir}/xmlcatalog -%{_mandir}/man1/xmllint.1%{?ext_man} -%{_mandir}/man1/xmlcatalog.1%{?ext_man} -%files -n %{base_name}-devel +%files devel +%license Copyright +%doc NEWS README.md %{_bindir}/xml2-config %{_includedir}/libxml %{_includedir}/libxml2 %{_libdir}/lib*.so %{_libdir}/pkgconfig/*.pc %{_libdir}/cmake -%{_mandir}/man1/xml2-config.1%{?ext_man} - -%files -n %{base_name}-doc -%doc %dir %{_docdir}/%{base_name} -%doc %{_docdir}/%{base_name}/[ANRCT]* -%{_datadir}/gtk-doc/html/* -%doc %{_docdir}/%{base_name}/*.html -# owning these directories prevents gtk-doc <-> libxml2 build loop: -%dir %{_datadir}/gtk-doc -%dir %{_datadir}/gtk-doc/html - -%else - -%files %{python_files libxml2} -%doc python/libxml2class.txt -%doc doc/*.py -%doc python/README -%pycache_only %{python_sitearch}/__pycache__/*libxml2* -%{python_sitearch}/*libxml2* -%endif ++++++ libxml2-2.14.5.tar.xz -> libxml2-2.15.2.tar.xz ++++++ ++++ 652738 lines of diff (skipped)
