Bug 35058 - libxml2 new security issues CVE-2025-8732, CVE-2026-0989, CVE-2026-0990 and CVE-2026-0992
Summary: libxml2 new security issues CVE-2025-8732, CVE-2026-0989, CVE-2026-0990 and C...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-01-23 15:20 CET by Nicolas Salguero
Modified: 2026-01-30 01:40 CET (History)
2 users (show)

See Also:
Source RPM: libxml2-2.10.4-1.8.mga9.src.rpm
CVE: CVE-2025-8732, CVE-2026-0989, CVE-2026-0990, CVE-2026-0992
Status comment:
j.alberto.vc: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-01-23 15:20:42 CET 
Ubuntu has issued an advisory on January 22:
https://ubuntu.com/security/notices/USN-7974-1
Nicolas Salguero 2026-01-23 15:22:52 CET

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-8732, CVE-2026-0989, CVE-2026-0990, CVE-2026-0992
Flags: (none) => affects_mga9+
Status comment: (none) => Patches available from Ubuntu
Source RPM: (none) => libxml2-2.15.1-1.mga10.src.rpm, libxml2-2.10.4-1.8.mga9.src.rpm

Comment 1 Lewis Smith 2026-01-23 21:53:39 CET 
I think these are the patches:

(CVE-2025-8732)
https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/337/diffs?commit_id=eae9291aa73907694dd3a4274d306e31217e746e
"fix: Prevent infinite recursion in xmlCatalogListXMLResolve CVE-2025-8732"

(CVE-2026-0989)
https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374/diffs?commit_id=19549c61590c1873468c53e0026a2fbffae428ef
"Add RelaxNG include limit"

(CVE-2026-0990)
Cannot find the patch. RedHat?

(CVE-2026-0992)
Cannot find the patch. RedHat?

Assigning globally as different packagers touch libxml2.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2026-01-27 14:28:23 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

xmlcatalog xmlParseSGMLCatalog recursion. (CVE-2025-8732)

Unbounded relaxng include recursion leading to stack overflow. (CVE-2026-0989)

Denial of service via uncontrolled recursion in xml catalog processing. (CVE-2026-0990)

Denial of service via crafted xml catalogs. (CVE-2026-0992)

References:
https://ubuntu.com/security/notices/USN-7974-1
========================

Updated packages in core/updates_testing:
========================
lib(64)xml2-devel-2.10.4-1.9.mga9
lib(64)xml2_2-2.10.4-1.9.mga9
libxml2-python3-2.10.4-1.9.mga9
libxml2-utils-2.10.4-1.9.mga9

from SRPM:
libxml2-2.10.4-1.9.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 9
Status comment: Patches available from Ubuntu => (none)
Status: NEW => ASSIGNED
Source RPM: libxml2-2.15.1-1.mga10.src.rpm, libxml2-2.10.4-1.8.mga9.src.rpm => libxml2-2.10.4-1.8.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Flags: affects_mga9+ => (none)

Comment 3 katnatek 2026-01-28 02:06:30 CET 
RH x86_64

installing //home/katnatek/qa-testing/x86_64/libxml2-utils-2.10.4-1.9.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/libxml2-python3-2.10.4-1.9.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/lib64xml2_2-2.10.4-1.9.mga9.x86_64.rpm
//home/katnatek/qa-testing/i586/libxml2_2-2.10.4-1.9.mga9.i586.rpm
Preparing...                     ###################################################################################################
      1/4: lib64xml2_2           ###################################################################################################
      2/4: libxml2-utils         ###################################################################################################
      3/4: libxml2-python3       ###################################################################################################
      4/4: libxml2_2             ###################################################################################################
      1/4: removing libxml2-python3-2.10.4-1.8.mga9.x86_64
                                 ###################################################################################################
      2/4: removing libxml2-utils-2.10.4-1.8.mga9.x86_64
                                 ###################################################################################################
      3/4: removing libxml2_2-2.10.4-1.8.mga9.i586
                                 ###################################################################################################
      4/4: removing lib64xml2_2-2.10.4-1.8.mga9.x86_64
                                 ###################################################################################################


xsltproc cdcatalog.xsl cdcatalog.xml &
python libxml_xslt_transform_example.py

Produces:

<html><body>
<h2>My CD Collection</h2>
<table border="1">
<tr bgcolor="#9acd32">
<th style="text-align:left">Title</th>
<th style="text-align:left">Artist</th>
</tr>
<tr>
<td>Empire Burlesque</td>
<td>Bob Dylan</td>
</tr>
<tr>
<td>Hide your heart</td>
<td>Bonnie Tyler</td>
</tr>
<tr>
<td>Greatest Hits</td>
<td>Dolly Parton</td>
</tr>
<tr>
<td>Still got the blues</td>
<td>Gary Moore</td>
</tr>
<tr>
<td>Eros</td>
<td>Eros Ramazzotti</td>
</tr>
<tr>
<td>One night only</td>
<td>Bee Gees</td>
</tr>
<tr>
<td>Sylvias Mother</td>
<td>Dr.Hook</td>
</tr>
<tr>
<td>Maggie May</td>
<td>Rod Stewart</td>
</tr>
<tr>
<td>Romanza</td>
<td>Andrea Bocelli</td>
</tr>
<tr>
<td>When a man loves a woman</td>
<td>Percy Sledge</td>
</tr>
<tr>
<td>Black angel</td>
<td>Savage Rose</td>
</tr>
<tr>
<td>1999 Grammy Nominees</td>
<td>Many</td>
</tr>
<tr>
<td>For the good times</td>
<td>Kenny Rogers</td>
</tr>
<tr>
<td>Big Willie style</td>
<td>Will Smith</td>
</tr>
<tr>
<td>Tupelo Honey</td>
<td>Van Morrison</td>
</tr>
<tr>
<td>Soulsville</td>
<td>Jorn Hoel</td>
</tr>
<tr>
<td>The very best of</td>
<td>Cat Stevens</td>
</tr>
<tr>
<td>Stop</td>
<td>Sam Brown</td>
</tr>
<tr>
<td>Bridge of Spies</td>
<td>T`Pau</td>
</tr>
<tr>
<td>Private Dancer</td>
<td>Tina Turner</td>
</tr>
<tr>
<td>Midt om natten</td>
<td>Kim Larsen</td>
</tr>
<tr>
<td>Pavarotti Gala Concert</td>
<td>Luciano Pavarotti</td>
</tr>
<tr>
<td>The dock of the bay</td>
<td>Otis Redding</td>
</tr>
<tr>
<td>Picture book</td>
<td>Simply Red</td>
</tr>
<tr>
<td>Red</td>
<td>The Communards</td>
</tr>
<tr>
<td>Unchain my heart</td>
<td>Joe Cocker</td>
</tr>
</table>
</body></html>

Flags: (none) => test_passed_mga9_64+

katnatek 2026-01-28 20:43:44 CET

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2026-01-29 19:16:02 CET 
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

katnatek 2026-01-29 23:26:36 CET

Keywords: (none) => advisory

Comment 5 Mageia Robot 2026-01-30 01:40:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0027.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.