Wiki - https://fedoraproject.org/wiki/Changes/Libxml215

Discussion thread -
https://discussion.fedoraproject.org/t/f45-change-proposal-libxml215-system-wide/193575


This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==
Update the <code>libxml2</code> library from version 2.13.9 to 2.15.3.
This release includes critical security fixes and requires a
system-wide mass rebuild due to an ABI (soname) change. Additionally,
this update marks the official deprecation of the libxml2 Python
bindings, which are scheduled for removal in 2.16.

== Owner ==
* Name: [[User:Amigadave| David King]]
* Email: [email protected]


== Detailed Description ==
The update to 2.15.3 is necessary to address several security
vulnerabilities fixed only in version 2.15.2 and above. Version 2.14
introduces an ABI change, requiring all packages linked against
libxml2 to be rebuilt.

Furthermore, upstream has deprecated the libxml2 Python bindings.
While these remain present in 2.15.3, they will be removed in 2.16.
Fedora packages currently using these bindings must be ported to
alternatives, such as python3-lxml or the standard library's
xml.etree. Concretely, this will mean that the python3-libxml2
subpackage will be marked as deprecated.

== Feedback ==


== Benefit to Fedora ==

* Security: Several security vulnerabilities, that are only fixed in
2.15.2 and above, are fixed in this release
* Modernization: Aligns Fedora with the latest upstream release, which
sees security and bugfixes.

== Scope ==
* Proposal owners:
** Perform the {{package|libxml2}} library update in Rawhide.
** Coordinate the mass rebuild with Release Engineering.
** Deprecation Management:
*** Audit all packages in Fedora using <code>python3-libxml2</code>.
*** Notify maintainers of affected packages.
*** Provide guidance/patches for migrating to <code>lxml</code> or
<code>ElementTree</code>.

* Other developers:
** Mass Rebuild: Maintainers of packages depending on
<code>libxml2</code> must ensure their packages rebuild successfully
against the new ABI.
** Migration: Maintainers of packages relying on the Python bindings
in <code>python3-libxml2</code> must begin porting their code to
alternative libraries before the planned removal in 2.16.

* Release engineering:
[https://forge.fedoraproject.org/releng/tickets/issues/13382 #13382]
** A mass rebuild will be required due to the ABI change.

* Policies and guidelines: N/A (not needed for this Change)

* Trademark approval: N/A (not needed for this Change)

* Alignment with the Fedora Strategy:


== Upgrade/compatibility impact ==

* C ABI: Applications not rebuilt will fail to run due to the soname change.
* Python ABI: Although applications using the Python bindings will
run, the applications will need to be ported to alternative APIs
before libxml2 2.16 is released.


== Early Testing (Optional) ==
Do you require 'QA Blueprint' support? N

Proposed MR for the package update to 2.15.3:
https://src.fedoraproject.org/rpms/libxml2/pull-request/16

== How To Test ==
There should be no user-visible changes to test, as the majority of
the upstream changes are removing old and unused code in the libxml2
library. A mass rebuild of dependent packages is the most effective
test, but testing that functionality using libxml2 in those packages
still works as expected will be useful.


== User Experience ==


== Dependencies ==
Preliminary list of packages depending on libxml2: approximately 600
binary packages, including many critical path packages.

Preliminary list of packages depending on python3-libxml2, which will
be affected by the deprecation and eventual removal:
*beaker-client
*gnome-doc-utils
*imagefactory
*itstool
*koji-vm
*ovfenv-
*python3-dmidecode
*python3-libxslt
*rteval
*setroubleshoot-server
*virt-manager-common

== Contingency Plan ==

** ABI Breakage: If the mass rebuild is unsuccessful or reveals
widespread, unresolvable issues, revert to 2.13.9.
** Binding Deprecation: If a critical system package cannot be ported
away from the libxml2 Python bindings in time, we will maintain the
bindings in a separate legacy package (python3-libxml2-legacy) as a
temporary measure until the migration is completed.
* Contingency deadline: Beta freeze
* Blocks release? Yes


== Documentation ==

There were many removals and deprecations between 2.13.9 and 2.15.3, including:
* Removal of FTP, HTTP and LZMA support
* Removal of the <code>libxml.m4</code> autoconf macros
* Deprecation of direct struct access, with many accessor functions added

In addition, many other bugfixes and security fixes were added, including:
* CVE-2026-1757 fix: Memory leak in xmllint Shell - shell.c
* CVE-2026-0990 fix: Prevent infinite recursion in xmlCatalogListXMLResolve
* CVE-2026-0992 fix: Exponential behavior when handling
* parser: Fix infinite loop in xmlCtxtParseContent
* CVE-2025-10911 libxslt related: Ignore next/prev of documents when
traversing XPath
* CVE-2026-0989 fix: Add RelaxNG include limit

== Release Notes ==


-- 
Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney

-- 
_______________________________________________
devel-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to