- version update to 2.14.5
** Regressions **
* html: Don't abort on encoding errors
* parser: Fix handling of invalid char refs in recovery mode
* xmllint: Print document even in case of XInclude errors
* xmllint: Fix --xinclude --path
** Security **
* schematron: Fix memory safety issues in xmlSchematronReportOutput
* Schematron: Fix null pointer dereference leading to DoS (Michael Mann)
* Fix potential buffer overflows of interactive shell (Michael Mann)
** Improvements **
* parser: Fix xmlCtxtIsStopped
- version update to 2.14.4
** Regressions **
* parser: Fix parsing of PublicIds and VersionNums
* parser: Fix custom SAX parsers without cdataBlock handler
* error: Fix initGenericErrorDefaultFunc compatibility macro again
* io: Make xmlOutputBufferCreate* not free encoder on error
* reader: Fix null deref on malloc failure
* Revert "meson: Install libxml2.py"
** Security **
* tree: Fix integer overflow in xmlBuildQName
** Improvements **
* parser: Use parser context as default in resource loader
* parser: Only validate EnumerationTypes when requested
* parser: Undeprecate some parser context members
- version update to 2.14.3
** Regressions **
* reader: Fix reading compressed data
* parser: Make undeclared entities in XML content fatal
* save: Fix XML escape table
* save: Fix xmlSave with NULL encoding
* Revert "valid: Remove duplicate error messages when streaming"
** Bug fixes **
* save: Fix serialization of attribute defaults containing <
* io: Fix linkage of __xml*BufferCreateFilename functions
- version update to 2.14.2
** Security **
* [CVE-2025-32415] schemas: Fix heap buffer overflow in xmlSchemaIDCFillNodeTables
* [CVE-2025-32414] python: Read at most len/4 characters. (Maks Verver)
- version update to 2.14.1
** Regressions **
* parser: Fix XML_PARSE_NOBLANKS dropping non-whitespace text
- version update to 2.14.0
** Major changes **
* The HTML tokenizer now conforms fully to HTML5.
* Binary compatibility is restricted to versions 2.14 or newer.
The soname was bumped from libxml2.so.2 to libxml2.so.16.
* The serialization API will now take user-provided or default
encodings into account when serializing attribute values.
* The XML parser won't try to merge consecutive CDATA sections
as before to align with web standards.
* Support for RELAX NG can now be disabled with a new configuration
option independently of XML Schemas support.
* The "legacy" configuration option won't enable support for HTTP
and LZMA anymore.
* Parts of the xmllint executable were refactored, allowing the
combination of more options.
* Meson is fully supported now.
* Parts of the buffering code were reworked and simplified.
* Overflow checks before reallocations were hardenend.
* Some unprefixed symbols were renamed to avoid namespace pollution.
** New features **
* Input callbacks can now be set on a parser context and an improved
API to create parser input is available.
* The following new functions, taking a parser input object, were added:
. xmlCtxtParseDocument
. xmlCtxtParseContent
. xmlCtxtParseDtd
* The xmlSave API now has additional options to replace global settings.
* Parser options XML_PARSE_UNZIP, XML_PARSE_NO_SYS_CATALOG and
XML_PARSE_CATALOG_PI were added.
* An API function to install a custom character encoding converter is
now available.
** Deprecations **
* Access to many public struct members is now deprecated.
* More internal functions were deprecated
** Removals **
* Metadata about the HTML4 content model was removed from the
htmlElemDesc struct
* The FTP module and related functions were removed.
* Support for the range and point extensions of the xpointer() scheme
was removed.
* Several legacy symbols and the functions in xmlunicode.h were removed.
* ELF version information was removed.
* The shell was moved from libxml2 to xmllint. Several related functions
are no longer available.
* The libxml.m4 file containing autoconf macros was removed.
* The --with-tree configuration option was removed.
* The hack to detect single-threaded programs under glibc was removed.
- modified patches
* libxml2-CVE-2025-7425.patch (refreshed)
* libxml2-python3-string-null-check.patch (refreshed)
* libxml2-python3-unicode-errors.patch (refreshed)
- modified sources
* baselibs.conf
- deleted patches
* libxml2-CVE-2025-49794,49796.patch (upstreamed)
* libxml2-CVE-2025-49795.patch (upstreamed)
* libxml2-CVE-2025-6170,6021.patch (upstreamed)
* libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch (upstreamed)
OBS-URL: https://build.opensuse.org/request/show/1309722
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libxml2?expand=0&rev=137
- version update to 2.14.5
2.14.0
** Major changes **
o The HTML tokenizer now conforms fully to HTML5.
o Binary compatibility is restricted to versions 2.14 or newer.
The soname was bumped from libxml2.so.2 to libxml2.so.16.
o The serialization API will now take user-provided or default
encodings into account when serializing attribute values.
o The XML parser won't try to merge consecutive CDATA sections
as before to align with web standards.
o Support for RELAX NG can now be disabled with a new configuration
option independently of XML Schemas support.
o The "legacy" configuration option won't enable support for HTTP
and LZMA anymore.
o Parts of the xmllint executable were refactored, allowing the
combination of more options.
o Meson is fully supported now.
o Parts of the buffering code were reworked and simplified.
o Overflow checks before reallocations were hardenend.
o Some unprefixed symbols were renamed to avoid namespace pollution.
** New features **
o Input callbacks can now be set on a parser context and an improved
API to create parser input is available.
o The following new functions, taking a parser input object, were added:
. xmlCtxtParseDocument
. xmlCtxtParseContent
. xmlCtxtParseDtd
o The xmlSave API now has additional options to replace global settings.
o Parser options XML_PARSE_UNZIP, XML_PARSE_NO_SYS_CATALOG and
XML_PARSE_CATALOG_PI were added.
OBS-URL: https://build.opensuse.org/request/show/1302350
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxml2?expand=0&rev=252
- security update
- added patches
CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS)
CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS)
+ libxml2-CVE-2025-49794,49796.patch
CVE-2025-49795 [bsc#1244555], null pointer dereference may lead to Denial of service (DoS)
+ libxml2-CVE-2025-49795.patch
- security update
fix CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash
fix CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2
+ libxml2-CVE-2025-6170,6021.patch
OBS-URL: https://build.opensuse.org/request/show/1291037
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libxml2?expand=0&rev=135
- Update to version 2.13.6 ([bsc#1237363], [bsc#1237370], [bsc#1237418]):
+ Security:
- [CVE-2025-24928] Fix stack-buffer-overflow in
xmlSnprintfElements
- [CVE-2024-56171] Fix use-after-free after
xmlSchemaItemListAdd
- pattern: Fix compilation of explicit child axis
+ Regressions:
- xmllint: Support compressed input from stdin
- uri: Fix handling of Windows drive letters
- reader: Fix return value of xmlTextReaderReadString again
- SAX2: Fix xmlSAX2ResolveEntity if systemId is NULL
+ Portability:
- dict: Handle ENOSYS from getentropy gracefully
- Fix compilation with uclibc (Dario Binacchi)
- python: Declare init func with PyMODINIT_FUNC
- tests: Fix sanitizer version check on old Apple clang
- cmake: Work around broken sys/random.h in old macOS SDKs
+ Build:
- autotools: Set AC_CONFIG_AUX_DIR
- cmake: Always build Python module as shared library
- cmake: add missing `Bcrypt` link on Windows
- cmake: Fix compatibility in package version file
- xmlIO: Fix reading from non-regular files like pipes
- xmlreader: Fix return value of xmlTextReaderReadString
- parser: Fix loading of parameter entities in external DTDs
- parser: Fix downstream code that swaps DTDs
- parser: Fix detection of duplicate attributes
- string: Fix va_copy fallback
- xpath: Fix parsing of non-ASCII names
OBS-URL: https://build.opensuse.org/request/show/1247404
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libxml2?expand=0&rev=132
- Update to 2.13.5:
* Regressions:
- xmlIO: Fix reading from non-regular files like pipes
- xmlreader: Fix return value of xmlTextReaderReadString
- parser: Fix loading of parameter entities in external DTDs
- parser: Fix downstream code that swaps DTDs
- parser: Fix detection of duplicate attributes
- string: Fix va_copy fallback
* Bug fixes:
- xpath: Fix parsing of non-ASCII names
- Update to 2.13.4:
* Regressions:
- parser: Make unsupported encodings an error in declarations
- io: don't set the executable bit when creating files
- xmlcatalog: Improved fix for #699
- Revert "catalog: Fetch XML catalog before dumping"
- io: Add missing calls to xmlInitParser
- tree: Restore return value of xmlNodeListGetString with NULL list
- parser: Fix error handling after reaching limit
- parser: Make xmlParseChunk return an error if parser was stopped
* Bug fixes:
- python: Fix SAX driver with character streams
* Improvements:
- xpath: Make recursion check work with xmlXPathCompile
- parser: Report at least one fatal error
- Update to 2.13.3:
* Security:
- [bsc#1234812, CVE-2024-40896] Fix XXE protection in downstream code
* Regressions:
- autotools: Use AC_CHECK_DECL to check for getentropy (forwarded request 1238553 from pmonrealgonzalez)
OBS-URL: https://build.opensuse.org/request/show/1238933
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libxml2?expand=0&rev=130
- Update to 2.13.5:
* Regressions:
- xmlIO: Fix reading from non-regular files like pipes
- xmlreader: Fix return value of xmlTextReaderReadString
- parser: Fix loading of parameter entities in external DTDs
- parser: Fix downstream code that swaps DTDs
- parser: Fix detection of duplicate attributes
- string: Fix va_copy fallback
* Bug fixes:
- xpath: Fix parsing of non-ASCII names
- Update to 2.13.4:
* Regressions:
- parser: Make unsupported encodings an error in declarations
- io: don't set the executable bit when creating files
- xmlcatalog: Improved fix for #699
- Revert "catalog: Fetch XML catalog before dumping"
- io: Add missing calls to xmlInitParser
- tree: Restore return value of xmlNodeListGetString with NULL list
- parser: Fix error handling after reaching limit
- parser: Make xmlParseChunk return an error if parser was stopped
* Bug fixes:
- python: Fix SAX driver with character streams
* Improvements:
- xpath: Make recursion check work with xmlXPathCompile
- parser: Report at least one fatal error
- Update to 2.13.3:
* Security:
- [bsc#1234812, CVE-2024-40896] Fix XXE protection in downstream code
* Regressions:
- autotools: Use AC_CHECK_DECL to check for getentropy
OBS-URL: https://build.opensuse.org/request/show/1238553
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxml2?expand=0&rev=230
