Changelog for libexpat-devel-2.2.1-161.1.i586.rpm :
Tue Jul 11 14:00:00 2017
- Build with profiling when possible

Tue Jul 4 14:00:00 2017
- Version update to 2.2.1 Sat June 17 2017
- Security fixes:
CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS
Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
- [MOX-002] CVE-2016-9063 / bsc#1047240 -- Detect integer overflow;
(Fixed version of existing downstream patches!)
- ( #539 Fix regression from fix to CVE-2016-0718 cutting off
longer tag names;
[#25] More integer overflow detection (function poolGrow);
- [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse;
- [MOX-005] #30 Use high quality entropy for hash initialization:

* arc4random_buf on BSD, systems with libbsd
(when configured with --with-libbsd), CloudABI

* RtlGenRandom on Windows XP / Server 2003 and later

* getrandom on Linux 3.17+
In a way, that\'s still part of CVE-2016-5300.
- [MOX-005] For the low quality entropy extraction fallback code,
the parser instance address can no longer leak,
- [MOX-003] Prevent use of uninitialised variable; commit
- [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
Add missing parameter validation to public API functions
and dedicated error code XML_ERROR_INVALID_ARGUMENT:
- [MOX-006]
* NULL checks; commits

* Negative length (XML_Parse); commit
- [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
- [MOX-001] #35 Change hash algorithm to William Ahern\'s version of SipHash
to go further with fixing CVE-2012-0876.
- Bug fixes:
[#32] Fix sharing of hash salt across parsers;
relevant where XML_ExternalEntityParserCreate is called
prior to XML_Parse, in particular (e.g. FBReader)
[#28] xmlwf: Auto-disable use of memory-mapping (and parsing
as a single chunk) for files larger than ~1 GB (2^30 bytes)
rather than failing with error \"out of memory\"
[#3] Fix double free after malloc failure in DTD code; commit
[#17] Fix memory leak on parser error for unbound XML attribute
prefix with new namespaces defined in the same tag;
found by Google\'s OSS-Fuzz; commits
xmlwf on Windows: Add missing calls to CloseHandle
- New features:
[#30] Introduced environment switch EXPAT_ENTROPY_DEBUG=1
for runtime debugging of entropy extraction
Bump version info from 7:2:6 to 7:3:6

Mon Jul 18 14:00:00 2016
- Remove pointless --with-pic (for static only)

Thu Jul 14 14:00:00 2016
- Version update to 2.2.0:

* Fixes bnc#983215 CVE-2012-6702

* Fixes bnc#983216 CVE-2016-5300

* Various cmake and autotools script updates

* Fix detection of utf8 character boundaries
- Remove all patches merged upstream:

* expat-2.1.1-avoid_relying_on_undef_behaviour.patch

* expat-2.1.1-parser_crashes_on_malformed_input.patch

* expat-alloc-size.patch

* expat-visibility.patch

Wed May 18 14:00:00 2016
- add expat-2.1.1-avoid_relying_on_undef_behaviour.patch to avoid
relying on undefined behavior in the original CVE-2015-1283 fix
[bnc#980391], [bnc#983985], [CVE-2016-4472]
- add expat-2.1.1-parser_crashes_on_malformed_input.patch to fix
Expat XML parser that mishandles certain kinds of malformed input
documents [bnc#979441], [CVE-2016-0718]
- use spec-cleaner to clean specfile

Fri Apr 1 14:00:00 2016
- After simplification of expat-visibility.patch, it became
uneffective as no symbols are getting hidden. add
- fvisibility=hidden to CFLAGS again.
- expat-alloc-size.patch: fix braino, realloc()-like functions
should not take __attribute__(malloc)

Wed Mar 23 13:00:00 2016
- Update to version 2.1.1

* Fixes CVE-2015-1283 — Multiple integer overflows in the
XML_GetBuffer function

* Fix potential null pointer dereference

* Symbol XML_SetHashSalt was not exported

* Output of xmlwf -h was incomplete

* Document behavior of calling XML_SetHashSalt with salt 0

* Minor improvements to man page xmlwf(1)
- Simplify expat-visibility.patch, refresh expat-alloc-size.patch
- Drop config-guess-sub-update.patch, fixed upstream.

Sat Jul 11 14:00:00 2015
- Cleanup spec file with spec-cleaner
- Remove old ppc obsoletes/provides

Tue Mar 26 13:00:00 2013
- Added url as source.
Please see

Thu Feb 21 13:00:00 2013
- Sanitize description of expat (replace it with a more current
one from the homepage)

Mon Feb 4 13:00:00 2013
- Update config.guess/sub for aarch64

Wed Jan 23 13:00:00 2013
- fix of fix of [bnc#798644]
- according to upstream changelog:
- Improved ability to build without the configure-generated
expat_config.h header. This is useful for applications
which embed Expat rather than linking in the library.
because I am not exactly sure about implication of this, rather use
- DXML_HAVE_VISIBILITY in CFLAG_VISIBILITY in expat-visibility.patch

Tue Jan 22 13:00:00 2013
- Executing autoreconf requires autoconf BuildRequire

Fri Jan 18 13:00:00 2013
- really hide private Xml
* symbols [bnc#798644]

* modified visibility.patch

Tue Apr 10 14:00:00 2012
- update to 2.1.0
- Bug Fixes:
[#1742315]: Harmful XML_ParserCreateNS suggestion.
[#2895533]: CVE-2012-1147 - Resource leak in readfilemap.c.
[#1785430]: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
[#1983953], 2517952, 2517962, 2649838:
Build modifications using autoreconf instead of
[#2815947], #2884086: OBJEXT and EXEEXT support while building.
[#1990430]: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
[#2517938]: xmlwf should return non-zero exit status if not well-formed.
[#2517946]: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
[#2855609]: Dangling positionPtr after error.
[#2894085]: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
[#2958794]: CVE-2012-1148 - Memory leak in poolGrow.
[#2990652]: CMake support.
[#3010819]: UNEXPECTED_STATE with a trailing \"%\" in entity value.
[#3206497]: Unitialized memory returned from XML_Parse.
[#3287849]: make check fails on mingw-w64.
[#3496608]: CVE-2012-0876 - Hash DOS attack.
- Patches:
[#1749198]: pkg-config support.
[#3010222]: Fix for bug #3010819.
[#3312568]: CMake support.
[#3446384]: Report byte offsets for attr names and values.
- New Features / API changes:

* Added new API member XML_SetHashSalt() that allows setting an
intial value (salt) for hash calculations. This is part of the
fix for bug #3496608 to randomize hash parameters.

* When compiled with XML_ATTR_INFO defined, adds new API member
XML_GetAttributeInfo() that allows retrieving the byte
offsets for attribute names and values (patch #3446384).

* Added CMake build system. See bug #2990652 and patch #3312568.

* Added run-benchmark target to - relies on testdata
module present in the same relative location as in the repository.

Tue Mar 6 13:00:00 2012
- update to 2.1.0 beta

* refreshed expat-visibility.patch

* removed obsolete expat-CVE-2009-3560.patch

* removed obsolete expat-CVE-2009-2625.patch
- hash table DOS attack fix
- accumulated bug fixes and some changes to the build system
- new conditional feature to make byte offsets for attributes
and attribute names available

Sun Feb 12 13:00:00 2012
- Put libraries back to %{_libdir}, /usr merge project

Fri Dec 2 13:00:00 2011
- add automake as buildrequire to avoid implicit dependency

Sun Oct 30 13:00:00 2011
- Hide non public symbols reusing existing win32 API export/imports
- annotate malloc/realloc-like functions with attribute alloc_size
to catch possible misuses in calling code.

Sun Sep 18 14:00:00 2011
- Remove redundant/obsolete tags/sections from specfile
(cf. packaging guidelines)
- Use %_smp_mflags for parallel build
- Add libexpat-devel to baselibs

Fri Feb 25 13:00:00 2011
- fix license (MIT) in spec file

Fri Jan 8 13:00:00 2010
- fix CVE-2009-3560.patch [bnc#566434]

Sun Dec 13 13:00:00 2009
- add baselibs.conf as a source

Fri Dec 4 13:00:00 2009
- fix DoS (CVE-2009-3560.patch) [bnc#558892]

Thu Oct 29 13:00:00 2009
- fix DoS (CVE-2009-2625.patch) [bnc#550664]

Sun Apr 5 14:00:00 2009
- test suite requires gcc-c++ to compile