libxml2-2.13.8-160000.4.1

- CVE-2026-0990: call stack overflow leading to application crash
  due to infinite recursion in `xmlCatalogXMLResolveURI` (bsc#1256807, bsc#1256811)
  * Add patch libxml2-CVE-2026-0990.patch
- CVE-2026-0992: excessive resource consumption when processing XML
  catalogs due to exponential behavior when handling `<nextCatalog>` elements (bsc#1256808, bsc#1256809, bsc#1256812)
  * Add patch libxml2-CVE-2026-0992.patch
- CVE-2025-8732: infinite recursion in catalog parsing functions when processing malformed SGML catalog files (bsc#1247858, bsc#1247850)
  * Add patch libxml2-CVE-2025-8732.patch

- CVE-2026-1757: memory leak in the `xmllint` interactive shell (bsc#1257593, bsc#1257594, bsc#1257595)
  * Add patch libxml2-CVE-2026-1757.patch

- CVE-2025-10911: use-after-free with key data stored cross-RVT (bsc#1250553)
  * Add patch libxml2-CVE-2025-10911.patch

- CVE-2026-0989: call stack exhaustion leading to application crash
  due to RelaxNG parser not limiting the recursion depth when
  resolving `<include>` directives (bsc#1256804, bsc#1256805, bsc#1256810)
  * Add patch libxml2-CVE-2026-0989.patch
  * https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374

- security update
- added patches
  CVE-2025-7425 [bsc#1246296], Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr
  + libxml2-CVE-2025-7425.patch

- security update
- added patches
  CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS)
  CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS)
  + libxml2-CVE-2025-49794,49796.patch
  CVE-2025-49795 [bsc#1244555], null pointer dereference may lead to Denial of service (DoS)
  + libxml2-CVE-2025-49795.patch

- security update
- added patches
  CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2
  CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash
  + libxml2-CVE-2025-6170,6021.patch

- Update to version 2.13.8:
  + Security:
  - [CVE-2025-32415] schemas: Fix heap buffer overflow in
    xmlSchemaIDCFillNodeTables.
  - [CVE-2025-32414] python: Read at most len/4 characters.
- bug references: [bsc#1241453], [bsc#1241551]

- Update to version 2.13.7:
  + Regressions:
  - tree: Fix xmlTextMerge with NULL args
  - io: Fix `compressed` flag for uncompressed stdin
  - parser: Fix parsing of DTD content

- Update to version 2.13.6 ([bsc#1237363], [bsc#1237370], [bsc#1237418]):
  + Security:
  - [CVE-2025-24928] Fix stack-buffer-overflow in
    xmlSnprintfElements
  - [CVE-2024-56171] Fix use-after-free after
    xmlSchemaItemListAdd
  - pattern: Fix compilation of explicit child axis
  + Regressions:
  - xmllint: Support compressed input from stdin
  - uri: Fix handling of Windows drive letters
  - reader: Fix return value of xmlTextReaderReadString again
  - SAX2: Fix xmlSAX2ResolveEntity if systemId is NULL
  + Portability:
  - dict: Handle ENOSYS from getentropy gracefully
  - Fix compilation with uclibc (Dario Binacchi)
  - python: Declare init func with PyMODINIT_FUNC
  - tests: Fix sanitizer version check on old Apple clang
  - cmake: Work around broken sys/random.h in old macOS SDKs
  + Build:
  - autotools: Set AC_CONFIG_AUX_DIR
  - cmake: Always build Python module as shared library
  - cmake: add missing `Bcrypt` link on Windows
  - cmake: Fix compatibility in package version file
  - xmlIO: Fix reading from non-regular files like pipes
  - xmlreader: Fix return value of xmlTextReaderReadString
  - parser: Fix loading of parameter entities in external DTDs
  - parser: Fix downstream code that swaps DTDs
  - parser: Fix detection of duplicate attributes
  - string: Fix va_copy fallback
  - xpath: Fix parsing of non-ASCII names
- Drop libxml2-support-compressed-input-from-stdin.patch: Fixed
  upstream.
- Also CVE-2025-27113 was assigned to this release.