libxml2 (2.9.14+dfsg-1.3ubuntu3.6) noble-security; urgency=medium
* SECURITY UPDATE: libxslt internal memory corruption
- debian/patches/CVE-2025-7425.patch: fix heap-use-after-free in
xmlFreeID caused by atype corruption.
- CVE-2025-7425
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 30 Oct 2025 09:26:06 -0400
libxml2 (2.9.14+dfsg-1.3ubuntu3.5) noble-security; urgency=medium
* SECURITY UPDATE: Stack overflow
- debian/patches/CVE-2025-9714.patch: Make XPath depth check work with
recursive invocations.
- CVE-2025-9714
-- Octavio Galland <octavio.galland@canonical.com> Fri, 05 Sep 2025 12:36:12 -0300
libxml2 (2.9.14+dfsg-1.3ubuntu3.4) noble-security; urgency=medium
* SECURITY UPDATE: stack-based buffer overflow
- debian/patches/CVE-2025-6021.patch: fix integer overflow by adding
bound checks in xmlBuildQName in tree.c
prevent integer overflow
- debian/patches/CVE-2025-6170.patch: fix buffer overflow by adding
bound checks in xmlShell in debugXML.c
- CVE-2025-6021
- CVE-2025-6170
* SECURITY UPDATE: UAF and type confusion
- debian/patches/CVE-2025-49794_49796.patch: fix UAF by returning node
and freeing it after use; fix type confusion by adding type check in
xmlSchematronFormatReport in schematron.c
- CVE-2025-49794
- CVE-2025-49796
-- Shishir Subedi <shishir.subedi@canonical.com> Sat, 09 Aug 2025 11:59:12 +0545
libxml2 (2.9.14+dfsg-1.3ubuntu3.3) noble-security; urgency=medium
* SECURITY UPDATE: OOB access in python API
- debian/patches/CVE-2025-32414-pre1.patch: fix SAX driver with
character streams in python/drv_libxml2.py.
- debian/patches/CVE-2025-32414-1.patch: read at most len/4 characters
in python/libxml.c.
- debian/patches/CVE-2025-32414-2.patch: add a test in
python/tests/Makefile.am, python/tests/unicode.py.
- CVE-2025-32414
* SECURITY UPDATE: heap under-read in xmlSchemaIDCFillNodeTables
- debian/patches/CVE-2025-32415.patch: fix heap buffer overflow in
xmlSchemaIDCFillNodeTables in xmlschemas.c.
- CVE-2025-32415
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 24 Apr 2025 14:42:32 -0400
libxml2 (2.9.14+dfsg-1.3ubuntu3.2) noble-security; urgency=medium
* SECURITY UPDATE: use-after-free
- debian/patches/CVE-2024-56171.patch: Fix use-after-free after
xmlSchemaItemListAdd.
- CVE-2024-56171
* SECURITY UPDATE: stack-based buffer overflow
- debian/patches/CVE-2025-24928-pre1.patch: Check for NULL node->name
in xmlSnprintfElements.
- debian/patches/CVE-2025-24928.patch: Fix stack-buffer-overflow in
xmlSnprintfElements.
- CVE-2025-24928
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2025-27113.patch: Fix compilation of explicit
child axis.
- CVE-2025-27113
-- Fabian Toepfer <fabian.toepfer@canonical.com> Thu, 20 Feb 2025 13:28:43 +0100
libxml2 (2.9.14+dfsg-1.3ubuntu3.1) noble-security; urgency=medium
* SECURITY UPDATE: use-after-free in xmlXIncludeAddNode
- debian/patches/CVE-2022-49043.patch: fix UaF in xinclude.c.
- CVE-2022-49043
* SECURITY UPDATE: buffer overread in xmllint
- debian/patches/CVE-2024-34459.patch: fix buffer issue when using
htmlout option in xmllint.c.
- CVE-2024-34459
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Jan 2025 08:19:16 -0500
libxml2 (2.9.14+dfsg-1.3ubuntu3) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 31 Mar 2024 02:21:38 +0000
libxml2 (2.9.14+dfsg-1.3ubuntu2) noble; urgency=medium
* No-change rebuild to build with python3.12 only.
-- Matthias Klose <doko@ubuntu.com> Sat, 16 Mar 2024 23:14:38 +0100
libxml2 (2.9.14+dfsg-1.3ubuntu1) noble; urgency=medium
* SECURITY UPDATE: use-after-free via XInclude expansion
- debian/patches/CVE-2024-25062.patch: don't expand XIncludes when
backtracking in xmlreader.c.
- CVE-2024-25062
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 15 Feb 2024 11:00:50 -0500
libxml2 (2.9.14+dfsg-1.3build3) noble; urgency=medium
* No-change rebuild for ICU soname change.
-- Matthias Klose <doko@ubuntu.com> Tue, 19 Dec 2023 11:06:39 +0100
libxml2 (2.9.14+dfsg-1.3build2) noble; urgency=medium
* armhf (-fstack-clash-protection) breakage rebuild
-- Mate Kukri <mate.kukri@canonical.com> Thu, 23 Nov 2023 15:12:01 +0000
libxml2 (2.9.14+dfsg-1.3build1) noble; urgency=medium
* No-change rebuild with Python 3.12 as supported version
-- Graham Inggs <ginggs@ubuntu.com> Tue, 31 Oct 2023 17:06:46 +0000
libxml2 (2.9.14+dfsg-1.3) unstable; urgency=medium
* Non-maintainer upload.
* Reset nsNr in xmlCtxtReset (CVE-2022-2309) (Closes: #1039991)
* Also reset nsNr in htmlCtxtReset (CVE-2022-2309) (Closes: #1039991)
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 08 Jul 2023 21:18:29 +0200
libxml2 (2.9.14+dfsg-1.2) unstable; urgency=medium
* Non-maintainer upload.
* schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
* Fix null deref in xmlSchemaFixupComplexType (CVE-2023-28484)
(Closes: #1034436)
* Hashing of empty dict strings isn't deterministic (CVE-2023-29469)
(Closes: #1034437)
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 15 Apr 2023 16:25:06 +0200
libxml2 (2.9.14+dfsg-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Fix integer overflows with XML_PARSE_HUGE (CVE-2022-40303)
(Closes: #1022224)
* Fix dict corruption caused by entity reference cycles (CVE-2022-40304)
(Closes: #1022225)
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 30 Oct 2022 11:18:06 +0100
libxml2 (2.9.14+dfsg-1) unstable; urgency=high
* Team upload.
* New upstream version 2.9.14+dfsg.
+ Integer overflows in xmlBuf/xmlBuffer. CVE-2022-29824 Closes: #1010526
-- Mattia Rizzolo <mattia@debian.org> Thu, 05 May 2022 14:43:51 +0200
libxml2 (2.9.13+dfsg-1) unstable; urgency=medium
* Team upload.
* New upstream version 2.9.13+dfsg.
+ Convert devhelp to version2. Closes: #955205
+ Use-after-free of ID and IDREF attrs. CVE-2022-23308; Closes: #1006489
* Bump my copyright for debian/*.
* d/watch: move download sourceto https://download.gnome.org/.
-- Mattia Rizzolo <mattia@debian.org> Sun, 27 Feb 2022 19:57:48 +0100
libxml2 (2.9.12+dfsg-6) unstable; urgency=medium
* Team upload.
* d/control:
+ Use the new Description field in the source paragraph and add references
to the binary paragraphs. This is a new feature since dpkg 1.19.0
(from 2017). Policy is not yet updated, see #998165.
+ Drop Build-Depends on python3-all-dbg, not used since the last revision.
* Add patches from upstream to fix:
+ return code of xmllint when incorrectly called. Closes: #727075
+ regression with entity references in external DTDs. Closes: #994765
-- Mattia Rizzolo <mattia@debian.org> Sat, 19 Feb 2022 13:11:26 +0100
libxml2 (2.9.12+dfsg-5) unstable; urgency=medium
* Team upload.
* Stop building the python3-libxml2-dbg package. Closes: #994307
* Add a Conflicts against the old w3c-dtd-xhtml, that contains a .dtd that
is not validating anymore. Closes: #993638
* Remove lintian override that was fixed in lintian for
debian-rules-uses-supported-python-versions-without-python-all-build-depends
-- Mattia Rizzolo <mattia@debian.org> Mon, 20 Sep 2021 15:06:01 +0200
libxml2 (2.9.12+dfsg-4) unstable; urgency=medium
* Team upload.
* Add a few patches from upstream:
+ Work around lxml API abuse.
+ Fix regression in xmlNodeDumpOutputInternal. LP: #1943277
+ Fix whitespace when serializing empty HTML documents.
+ Forbid epsilon-reduction of final states.
+ Fix buffering in xmlOutputBufferWrite.
-- Mattia Rizzolo <mattia@debian.org> Fri, 10 Sep 2021 22:13:09 +0200
libxml2 (2.9.12+dfsg-3) unstable; urgency=medium
* Team upload.
* Upload to unstable.
* Add patch from upstream to fix a regression in the recursion limit for
complex XSLT documents. This also fixed the ruby-nokogiri test failure,
so drop the previously introduced Breaks.
* d/control: Bump Standards-Version to 4.6.0, no changes needed.
-- Mattia Rizzolo <mattia@debian.org> Wed, 01 Sep 2021 16:45:21 +0200
libxml2 (2.9.12+dfsg-2) experimental; urgency=medium
* Team upload.
* d/control: Break ruby-nokogiri (<< 1.11.7).
* lintian:
+ Add a link from usr/share/doc/libxml2/gtk-doc
usr/share/gtk-doc/html/libxml2. See #970275
+ Override for package-contains-documentation-outside-usr-share-doc.
* Add two patches to refactor how docs are installed.
* Add a patch to properly install all the documentation we were
previously manually installing.
* d/rules: Use the now working --docdir flag to install the documentation
directly in the right place.
* Move the documentation and examples from /usr/share/doc/libxml2-doc
to /usr/share/doc/libxml2/, following Policy v3.9.7 ยง12.3.
-- Mattia Rizzolo <mattia@debian.org> Thu, 29 Jul 2021 12:22:11 +0200
libxml2 (2.9.12+dfsg-1) experimental; urgency=medium
* Team upload.
* New upstream version 2.9.12+dfsg.
* Drop patches applied upstream.
* d/libxml2.symbols: Add a new symbol.
* d/control: Bump Standards-Version to 4.5.1, no changes needed.
* d/rules:
+ Bump shlibs version.
+ Drop the --as-needed linking flag, the default starting from bullseye.
-- Mattia Rizzolo <mattia@debian.org> Sun, 18 Jul 2021 15:33:26 +0200
libxml2 (2.9.10+dfsg-6.7) unstable; urgency=medium
* Non-maintainer upload.
* Patch for security issue CVE-2021-3541 (Closes: #988603)
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 22 May 2021 08:21:29 +0200
libxml2 (2.9.10+dfsg-6.6) unstable; urgency=medium
* Non-maintainer upload.
* Upload to unstable.
-- Salvatore Bonaccorso <carnil@debian.org> Thu, 06 May 2021 10:48:16 +0200
libxml2 (2.9.10+dfsg-6.5) experimental; urgency=medium
* Non-maintainer upload.
* Propagate error in xmlParseElementChildrenContentDeclPriv (CVE-2021-3537)
(Closes: #988123)
-- Salvatore Bonaccorso <carnil@debian.org> Thu, 06 May 2021 10:28:10 +0200
libxml2 (2.9.10+dfsg-6.4) experimental; urgency=medium
* Non-maintainer upload.
* Fix use-after-free with `xmllint --html --push` (CVE-2021-3516)
(Closes: #987739)
* Validate UTF8 in xmlEncodeEntities (CVE-2021-3517) (Closes: #987738)
* Fix user-after-free with `xmllint --xinclude --dropdtd` (CVE-2021-3518)
(Closes: #987737)
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 02 May 2021 16:23:29 +0200
libxml2 (2.9.10+dfsg-6.3) unstable; urgency=medium
* Non-maintainer upload.
* Remove the Python2 autopkg test.
-- Matthias Klose <doko@debian.org> Sun, 29 Nov 2020 11:58:00 +0100
libxml2 (2.9.10+dfsg-6.2) unstable; urgency=medium
* Non-maintainer upload.
* Fix out-of-bounds read with 'xmllint --htmlout' (CVE-2020-24977)
(Closes: #969529)
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 25 Oct 2020 13:56:23 +0100
libxml2 (2.9.10+dfsg-6.1) unstable; urgency=medium
* Non-maintainer upload.
* Fix build with Python 3.9. Closes: #972022.
-- Matthias Klose <doko@debian.org> Wed, 14 Oct 2020 08:45:25 +0200
libxml2 (2.9.10+dfsg-6) unstable; urgency=medium
* Team upload.
[ Mattia Rizzolo ]
* Drop Python2 support. Closes: #936941
* Use dh-sequence-python3 to at least simplify one line of d/rules.
* Bump debhelper compat level to 13.
+ Drop dh_missing override, dh13 defaults to --fail-missing.
[ Debian Janitor ]
* Use correct machine-readable copyright file URI.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
* Rely on pre-initialized dpkg-architecture variables.
-- Mattia Rizzolo <mattia@debian.org> Fri, 04 Sep 2020 23:05:12 +0200
libxml2 (2.9.10+dfsg-5) unstable; urgency=medium
* Team upload.
[ Mattia Rizzolo ]
* d/rules:
+ Drop --disable-silent-rules, already passed by dh_auto_configure.
+ Drop --parallel, now default with debhelper compat > 10.
+ Use dh_installdocs and dh_installexamples to install docs and examples.
+ Use dh_missing --fail-missing (and add the relevant d/not-installed).
+ Minimize indep build to build only the docs.
* d/watch: fix an option to avoid a warning message.
* d/control:
+ Move most of the build-deps to Build-Depends-Arch.
+ Use ${python:Depends} also for python-libxml2-dbg.
* Add a lintian override for
debian-rules-uses-supported-python-versions-without-python-all-build-depends
[ Gunnar Hjalmarsson ]
* d/p/python3-unicode-errors.patch:
Fix segfault issue with itstool and py3. LP: #1869814
-- Mattia Rizzolo <mattia@debian.org> Fri, 10 Apr 2020 14:53:23 +0200
libxml2 (2.9.10+dfsg-4) unstable; urgency=medium
* Team upload.
* Add patch from upstream to prevent a segfault in some platforms with
illegal documents.
-- Mattia Rizzolo <mattia@debian.org> Thu, 27 Feb 2020 19:21:45 +0100
libxml2 (2.9.10+dfsg-3) unstable; urgency=medium
* Team upload.
* Add patch so that xml2-config only disaplys libraries needed for dynamic
linking. Closes: #952115
-- Mattia Rizzolo <mattia@debian.org> Sun, 23 Feb 2020 12:08:21 +0100
libxml2 (2.9.10+dfsg-2.1) unstable; urgency=medium
* Non-maintainer upload.
* Fix memory leak in xmlSchemaValidateStream (CVE-2019-20388)
(Closes: #949583)
* Fix infinite loop in xmlStringLenDecodeEntities (CVE-2020-7595)
(Closes: #949582)
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 22 Feb 2020 23:36:57 +0100
libxml2 (2.9.10+dfsg-2) unstable; urgency=medium
* Team upload
* Re-instate Python2 support for now, the rev-deps are not ready.
Re-opens: #936941
* python-libxml2-dbg: Depend on python2-dbg instead of python-dbg.
Closes: #948493
* d/control: Bump Standards-Version 4.5.0, no changes needed.
* Re-instnate the xml2-config script for now.
* Upload to unstable.
-- Mattia Rizzolo <mattia@debian.org> Fri, 21 Feb 2020 14:45:03 +0100
libxml2 (2.9.10+dfsg-1) experimental; urgency=medium
* Team upload.
* New upstream version 2.9.10+dfsg.
+ Fix memory leak. CVE-2019-19956
* Drop all patches.
* d/control:
+ Bump debhelper compat level to 12.
+ Bump Standards-Version to 4.4.1, no changes needed.
* d/libxml2.symbols: add Build-Depends-Package field, by lintian.
-- Mattia Rizzolo <mattia@debian.org> Mon, 25 Nov 2019 16:48:13 +0100
libxml2 (2.9.9+dfsg1-1~exp2) experimental; urgency=medium
* Team upload.
* Merge the lost uploads 2.9.7+dfsg-1 and 2.9.8+dfsg-1.
-- Mattia Rizzolo <mattia@debian.org> Tue, 19 Nov 2019 14:53:11 +0100
libxml2 (2.9.9+dfsg1-1~exp1) experimental; urgency=medium
[ Rene Engelhard ]
* actually remove the override_dh_gencontrol (thanks mattia)...
[ Aron Xu ]
* New upstream version 2.9.9+dfsg1
+ Fix infinite loop in LZMA decompression. CVE-2018-9251; Closes: #895195
+ Fix (another) infinite loop in LZMA decompression. CVE-2018-14567
+ Fix nullptr deref with XPath logic ops. CVE-2018-14404; Closes: #901817
* Remove patches merged upstream
* Update symbols
* Remove python2 support Closes: #936941
-- Aron Xu <aron@debian.org> Tue, 29 Oct 2019 10:08:51 +0000
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libxml2`.
Generated by dwww version 1.16 on Sat Dec 13 16:25:54 CET 2025.