Add additional CVE versions

[clscott]

Based on these CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-32414
• https://nvd.nist.gov/vuln/detail/CVE-2025-32415

[plicease]

Thanks, can you add the CVE numbers next to the impacted versions in the alienfile as comments. I know we haven't done that in the past but will help understand why without git archeology.

CI failures are not you I will fix shortly.

[plicease]

Okay I fixed CI in main, can you please also rebase this onto main?

[shawnlaffan]

The code change looks good.

That said, the CVEs are for the python bindings (details in https://gitlab.gnome.org/GNOME/libxml2/-/issues/889 ) so should not affect Alien::Libxml2 users unless they are then calling python code.

There is also the knock on effect that XML::LibXML2 has test failures for libxml2 2.13 and presumably 2.14.
https://rt.cpan.org/Ticket/Display.html?id=156899
https://rt.cpan.org/Ticket/Display.html?id=157693

And finally, XML::LibXML is up for adoption: shlomif/perl-XML-LibXML#91

[shawnlaffan]

Although now I reread the CVE and the code, the CVE lists all versions up to 2.13.8, including the 2.12 series. So the code change does not account for 2.12.10. However, doing so would cause the issues I raised above.

I'm hoping to get a Strawberry Perl 5.38.4 release out shortly and releasing such a change would certainly complicate matters given XML::LibXML2 is packaged with SP...