F45 Change Proposal: libxml215 (system-wide)

Wiki - https://fedoraproject.org/wiki/Changes/Libxml215 Discussion thread - https://discussion.fedoraproject.org/t/f45-change-proposal-libxml215-system-wide/193575 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Update the <code>libxml2</code> library from version 2.13.9 to 2.15.3. This release includes critical security fixes and requires a system-wide mass rebuild due to an ABI (soname) change. Additionally, this update marks the official deprecation of the libxml2 Python bindings, which are scheduled for removal in 2.16. == Owner == * Name: [[User:Amigadave| David King]] * Email: amigadave@amigadave.com == Detailed Description == The update to 2.15.3 is necessary to address several security vulnerabilities fixed only in version 2.15.2 and above. Version 2.14 introduces an ABI change, requiring all packages linked against libxml2 to be rebuilt. Furthermore, upstream has deprecated the libxml2 Python bindings. While these remain present in 2.15.3, they will be removed in 2.16. Fedora packages currently using these bindings must be ported to alternatives, such as python3-lxml or the standard library's xml.etree. Concretely, this will mean that the python3-libxml2 subpackage will be marked as deprecated. == Feedback == == Benefit to Fedora == * Security: Several security vulnerabilities, that are only fixed in 2.15.2 and above, are fixed in this release * Modernization: Aligns Fedora with the latest upstream release, which sees security and bugfixes. == Scope == * Proposal owners: ** Perform the {{package|libxml2}} library update in Rawhide. ** Coordinate the mass rebuild with Release Engineering. ** Deprecation Management: *** Audit all packages in Fedora using <code>python3-libxml2</code>. *** Notify maintainers of affected packages. *** Provide guidance/patches for migrating to <code>lxml</code> or <code>ElementTree</code>. * Other developers: ** Mass Rebuild: Maintainers of packages depending on <code>libxml2</code> must ensure their packages rebuild successfully against the new ABI. ** Migration: Maintainers of packages relying on the Python bindings in <code>python3-libxml2</code> must begin porting their code to alternative libraries before the planned removal in 2.16. * Release engineering: [https://forge.fedoraproject.org/releng/tickets/issues/13382 #13382] ** A mass rebuild will be required due to the ABI change. * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: == Upgrade/compatibility impact == * C ABI: Applications not rebuilt will fail to run due to the soname change. * Python ABI: Although applications using the Python bindings will run, the applications will need to be ported to alternative APIs before libxml2 2.16 is released. == Early Testing (Optional) == Do you require 'QA Blueprint' support? N Proposed MR for the package update to 2.15.3: https://src.fedoraproject.org/rpms/libxml2/pull-request/16 == How To Test == There should be no user-visible changes to test, as the majority of the upstream changes are removing old and unused code in the libxml2 library. A mass rebuild of dependent packages is the most effective test, but testing that functionality using libxml2 in those packages still works as expected will be useful. == User Experience == == Dependencies == Preliminary list of packages depending on libxml2: approximately 600 binary packages, including many critical path packages. Preliminary list of packages depending on python3-libxml2, which will be affected by the deprecation and eventual removal: *beaker-client *gnome-doc-utils *imagefactory *itstool *koji-vm *ovfenv- *python3-dmidecode *python3-libxslt *rteval *setroubleshoot-server *virt-manager-common == Contingency Plan == ** ABI Breakage: If the mass rebuild is unsuccessful or reveals widespread, unresolvable issues, revert to 2.13.9. ** Binding Deprecation: If a critical system package cannot be ported away from the libxml2 Python bindings in time, we will maintain the bindings in a separate legacy package (python3-libxml2-legacy) as a temporary measure until the migration is completed. * Contingency deadline: Beta freeze * Blocks release? Yes == Documentation == There were many removals and deprecations between 2.13.9 and 2.15.3, including: * Removal of FTP, HTTP and LZMA support * Removal of the <code>libxml.m4</code> autoconf macros * Deprecation of direct struct access, with many accessor functions added In addition, many other bugfixes and security fixes were added, including: * CVE-2026-1757 fix: Memory leak in xmllint Shell - shell.c * CVE-2026-0990 fix: Prevent infinite recursion in xmlCatalogListXMLResolve * CVE-2026-0992 fix: Exponential behavior when handling * parser: Fix infinite loop in xmlCtxtParseContent * CVE-2025-10911 libxslt related: Ignore next/prev of documents when traversing XPath * CVE-2026-0989 fix: Add RelaxNG include limit == Release Notes == -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new