Your message dated Wed, 25 Mar 2026 13:51:15 +0000
with message-id <[email protected]>
and subject line Bug#1125695: fixed in libxml2 2.15.2+dfsg-0.1
has caused the Debian Bug report #1125695,
regarding libxml2: CVE-2026-0990: Infinite recursion in xmlCatalogXMLResolveURI
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125695: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125695
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxml2.9
Version: 2.15.1+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libxml2.
CVE-2026-0990[0]:
| A flaw was found in libxml2, an XML parsing library. This
| uncontrolled recursion vulnerability occurs in the
| xmlCatalogXMLResolveURI function when an XML catalog contains a
| delegate URI entry that references itself. A remote attacker could
| exploit this configuration-dependent issue by providing a specially
| crafted XML catalog, leading to infinite recursion and call stack
| exhaustion. This ultimately results in a segmentation fault, causing
| a Denial of Service (DoS) by crashing affected applications.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-0990
https://www.cve.org/CVERecord?id=CVE-2026-0990
[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxml2
Source-Version: 2.15.2+dfsg-0.1
Done: Matthias Klose <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <[email protected]> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 25 Mar 2026 14:30:48 +0100
Source: libxml2
Architecture: source
Version: 2.15.2+dfsg-0.1
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Matthias Klose <[email protected]>
Closes: 1125691 1125695 1125696
Changes:
libxml2 (2.15.2+dfsg-0.1) unstable; urgency=high
.
* Non-maintainer upload.
* New upstream bug fix release.
Security issues:
- CVE-2026-1757 fix: Memory leak in xmllint Shell - shell.c
- CVE-2026-0990 fix: Prevent infinite recursion in
xmlCatalogListXMLResolve. Closes: #1125695.
- CVE-2026-0992 fix: Exponential behavior when handling
parser: Fix infinite loop in xmlCtxtParseContent. Closes: #1125696.
- CVE-2025-10911 libxslt related: Ignore next/prev of documents when
traversing XPath
- CVE-2026-0989 fix: Add RelaxNG include limit. Closes: #1125691.
- xmlIO: use size_t for buffer size reallocation
- uri: fix signed integer overflow in xmlBuildRelativeURISafe
- schematron: fix memory leaks on error paths in xmlSchematronParseRule
- catalog: fix stack overflow from self-referencing SGML CATALOG entries
Improvements
- fuzz: Make fuzzy encoding match more lenient
- Fix C14N type confusion
- meson: Fix build with Meson < 1.3
- xmllint: Use zlib directly
- xmllint: New option to separate xpath results using null, --xpath0
- autotools: Make valgrind actually check for leaks
- meson: Add valgrind test setup
- Fix xmlOutputBufferGetContent output when encoder is set
- threads: don't force _WIN32_WINNT to Vista if it's set to a higher value
- dist: Add generated documentation to the dist as "dist-doc" folder
to simplify downstream packaging of doc
- Fix xmlRemoveEntity removing from wrong hash table
- use duplicating variant in relaxng to mitigate UAF
- Fix memory leak in xmlTextWriterStartAttributeNS on OOM
- meson: remove hardcoded buildtype=debug default
- Fix memory leak of prefix in xmlTextWriterStartElementNS()
- writer: Add a few extra NULL checks to avoid memory leaks on corrupt
writer path.
* Update symbols file.
* Don't include the sources twice in the libxml2-source package.
* Bump standards version.
Checksums-Sha1:
e6c69c4e157f3a2f9e2bb7937048d2bebca1c9ea 3135 libxml2_2.15.2+dfsg-0.1.dsc
91e7c42834c2aa65b17c3bf6d985ed12ff07e59b 2154608
libxml2_2.15.2+dfsg.orig.tar.xz
f10e58f6748678d98b50266248e1a50f1e080619 36120
libxml2_2.15.2+dfsg-0.1.debian.tar.xz
f4bc86d5fcb8739757ea93c7ff8a52d74f264cff 5928
libxml2_2.15.2+dfsg-0.1_source.buildinfo
Checksums-Sha256:
0566b1577d262cae50587a57ac5de746cc7e7b36e33c8351782d88a53cc8a341 3135
libxml2_2.15.2+dfsg-0.1.dsc
f1e80b8c76041d45840b96da2a5c0ddfb7ffcc923ef6687260e7ebb0fdaa26a5 2154608
libxml2_2.15.2+dfsg.orig.tar.xz
c58645a5c10a351cda92c0e145e96c754ec061bb4363f09d18f951693997369e 36120
libxml2_2.15.2+dfsg-0.1.debian.tar.xz
8da88d0fd3c1171a83a404b3052445db9994d86de2843a37dc725ddd71d4bdd6 5928
libxml2_2.15.2+dfsg-0.1_source.buildinfo
Files:
fb9dabce7a5338c721449ec1811ec84b 3135 libs optional libxml2_2.15.2+dfsg-0.1.dsc
47fa2efacc4b6612e721df9581714663 2154608 libs optional
libxml2_2.15.2+dfsg.orig.tar.xz
0ceab70f5e7363733da900bfba784f67 36120 libs optional
libxml2_2.15.2+dfsg-0.1.debian.tar.xz
3dcbd76ab4d5cc3b160a6a1ee4f41a5f 5928 libs optional
libxml2_2.15.2+dfsg-0.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmnD5L0QHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9fe1D/9VfiT3zM+VJr74EBEQRtB6gwgQStVKNMxu
mH89TljIgjRoxXjvxhzzBp0ebww5aAw0rmJmssmRg6rhnGU6Re0ULg3ab3dQGSwo
bjFKBEAMIJPKF59xG+ECB0HgEAkNqpamdsrJjd1T/0Dcdz+ApgItSiwCqIcU4g0m
EQdN02SYltB6KnWYvdw4iM4aLqyR69sNViN6HnX9YeJn/JzieeC+UhoUw90r4JxK
YkGctTmKK5M6sJWwz0Z/8wk6DRT5qQsPsfLYeqPsS3sNq3anr8jGXMMN5bDn+Peg
Miyq+BwxUyWTb5ENcI3nslIYXeqipaxodoOyzCrAPA/6Ayg4m/ZofO+99Tr07vig
qBki0Umh8/FCyT4bIZnew2SdsX71a1V/QkvT25FUaQR6RaUrqSBNsNeu21T2Ppkp
PEZM8+s9bEeVUyQV0Wm8BlePwhJp7P8Y7a9Ljn6DJ0h2HMj2WpCaiygya+ocFa46
6iquZi0F7sfQ+bat4qeoXFzso0bsQIDQdvJF3wn1CIyzDNQ3X872Y0GNhelaPSOy
ofXOfpeYwQEKIbuzCgntzV/fbrO+vGBq9n13e3SuHHrGYU2ZL9iyKJuFi1EZZ+IL
J8KKd6i+ln68ioTM8J0mNtyXFIFLvsQmRZciflLCHB4SYOU0zbGRCj0Yp4LtzpLY
kV9FFWUJsw==
=6xN2
-----END PGP SIGNATURE-----
pgp2QSBTzAGWq.pgp
Description: PGP signature
--- End Message ---
