CVE-2017-16932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16932): parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. CVE-2017-16931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16931): parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.
@Maintainers libxml2-2.9.6 is already stable on some arches, please confirm if we can stabilize it and clean previous versions. Thank you
2.9.6 is ok to go stable for remaining arches.
GLSA Vote: No Cleanup will be tracked in bug #644574