Nick Wellnhofer has announced the release of Libxml2 version 2.13.6, which incorporates security fixes, addresses regressions, and enhances portability. The release incorporates corrections for stack-buffer-overflow, addresses use-after-free issues following xmlSchemaItemListAdd, and provides a solution for xmlSAX2ResolveEntity when systemId is NULL. Additional enhancements encompass sanitizer version verifications, cmake compatibility, and the inclusion of the Bcrypt link that was previously absent.
Libxml2 2.13.6 released
https://download.gnome.org/sources/libxml2/2.13/libxml2-2.13.6.tar.xz
sha256sum: f453480307524968f7a04ec65e64f2a83a825973bcd260a2e7691be82ae70c96
Security
- [CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements
- [CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd
- pattern: Fix compilation of explicit child axis
Regressions
- xmllint: Support compressed input from stdin
- uri: Fix handling of Windows drive letters
- reader: Fix return value of xmlTextReaderReadString again
- SAX2: Fix xmlSAX2ResolveEntity if systemId is NULL
Portability
- dict: Handle ENOSYS from getentropy gracefully
- Fix compilation with uclibc (Dario Binacchi)
- python: Declare init func with PyMODINIT_FUNC
- tests: Fix sanitizer version check on old Apple clang
- cmake: Work around broken sys/random.h in old macOS SDKs
Build
- autotools: Set AC_CONFIG_AUX_DIR
- cmake: Always build Python module as shared library
- cmake: add missing
Bcryptlink on Windows (Saleem Abdulrasool)- cmake: Fix compatibility in package version file
