The CERT report does cite libxml2 now as well, so this seems to be a very pervasive issue.

Patches for libxml2 can be found in this Bugzilla ticket against 2.5.10, 2.6.16, and 2.6.26. It does not appear that this fix has been rolled into an official release yet.