SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for expat-2.4.1-2.3.i586.rpm :

* Mon May 24 2021 Pedro Monreal - Update to 2.4.1:
* Bug fixes: - Autotools: Fix installed header expat_config.h for multilib systems; regression introduced in 2.4.0 by pull request #486
* Other changes: - Version info bumped from 9:0:8 to 9:1:8; see https://verbump.de/ for what these numbers do
* Mon May 24 2021 Pedro Monreal - Update to 2.4.0: [CVE-2013-0340 \"Billion Laughs\"]
* Security fixes: - CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks (denial-of-service; flavors targeting CPU time or RAM or both, leveraging general entities or parameter entities or both) by tracking and limiting the input amplification factor ( := ( + ) / ). By conservative default, amplification up to a factor of 100.0 is tolerated and rejection only starts after 8 MiB of output bytes (= + ) have been processed. The fix adds the following to the API: - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to signals this specific condition. - Two new API functions .. - XML_SetBillionLaughsAttackProtectionMaximumAmplification and - XML_SetBillionLaughsAttackProtectionActivationThreshold .. to further tighten billion laughs protection parameters when desired. Please see file \"doc/reference.html\" for details. If you ever need to increase the defaults for non-attack XML payload, please file a bug report with libexpat. - Two new XML_FEATURE_
* constants .. - that can be queried using the XML_GetFeatureList function, and - that are shown in \"xmlwf -v\" output. - Two new environment variable switches .. - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and - EXPAT_ENTITY_DEBUG=(0|1) .. for runtime debugging of accounting and entity processing. Specific behavior of these values may change in the future. - Two new command line arguments \"-a FACTOR\" and \"-b BYTES\" for xmlwf to further tighten billion laughs protection parameters when desired. If you ever need to increase the defaults for non-attack XML payload, please file a bug report with libexpat.
* Bug fixes: - For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault for UTF-16 payloads containing CDATA sections. - Autotools: Fix generated CMake files for non-64bit and non-Linux platforms (e.g. macOS and MinGW in particular) that were introduced with release 2.3.0
* Other changes: - xmlwf: Improve help output and the xmlwf man page - xmlwf: Improve maintainability through some refactoring - xmlwf: Fix man page DocBook validity - CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR and CMAKE_INSTALL_INCLUDEDIR - CMake: Add support for standard variable BUILD_SHARED_LIBS - Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters - Resolve macro HAVE_EXPAT_CONFIG_H - Delete unused legacy helper file \"conftools/PrintPath\" - doc/reference.html: Fix XHTML validity - doc/reference.html: Replace the 90s look by OK.css - Version info bumped from 8:0:7 to 9:0:8 due to addition of new symbols and error codes; see https://verbump.de/ for what these numbers do
* Tue Apr 13 2021 Dominique Leuenberger - Do not BuildRequire cmake: expat is part of the distro bootstrap cycle and any additional dependency makes the ring larger. In this case here, cmake was even only used to own a directory.
* Tue Apr 06 2021 Dirk Müller - update to 2.3.0:
* When calling XML_ParseBuffer without a prior successful call to XML_GetBuffer as a user, no longer trigger undefined behavior (by adding an integer to a NULL pointer) but rather return XML_STATUS_ERROR and set the error code to (new) code XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) of Clang 11 (but not Clang 9).
* xmlwf: Exit status 2 was used for both: - malformed input files (documented) and - invalid command-line arguments (undocumented). case of invalid command-line arguments now has its own exit status 4, resolving the ambiguity.
* Other changes
* Sun Oct 04 2020 Pedro Monreal - Update to 2.2.10:
* Bug fixes: - Fix undefined behavior during parsing caused by pointer arithmetic with NULL pointers - Fix reading uninitialized variable during parsing - xmlwf: Add missing check for malloc NULL return
* Other changes: - xmlwf: Document exit codes in xmlwf manpage and exit with code 3 (rather than code 1) for output errors when used with \"-d DIRECTORY\" - Autotools: Use -Werror while configure tests the compiler for supported compile flags to avoid false positives - Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, e.g. ensure that they have the last word over flags added while running ./configure - CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis on suffix \"w\") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) - CMake: Detect and deny unsupported build combinations involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) - CMake: Install pre-compiled shipped xmlwf.1 manpage in case of -DEXPAT_BUILD_DOCS=OFF - CMake: Fix use of Expat by means of add_subdirectory - CMake: Keep expat target name constant at \"expat\" (i.e. refrain from using the target name to control build artifact filenames) - CMake: Expose man page compilation as target \"xmlwf-manpage\" - CMake: Introduce option EXPAT_BUILD_PKGCONFIG to control generation of pkg-config file \"expat.pc\" - CMake: Add minimalistic support for building binary packages with CMake target \"package\"; based on CPack - CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with default OFF to build fuzzer code against OSS-Fuzz and related environment variable LIB_FUZZING_ENGINE - Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF - Address compiler warnings - Address pngcheck warnings with doc/
*.png images: Version info bumped from 7:11:6 to 7:12:6
* Fri Nov 29 2019 Pedro Monreal Gonzalez - Version update to 2.2.9
* Other changes: - examples: Drop executable bits from elements.c [#349] Windows: Change the name of the Windows DLLs from expat
*.dll to libexpat
*.dll once more (regression from 2.2.8, first fixed in 1.95.3, issue #61 on SourceForge today, was issue #432456 back then); needs a fix due case-insensitive file systems on Windows and the fact that Perl\'s XML::Parser::Expat compiles into Expat.dll. [#347] Windows: Only define _CRT_RAND_S if not defined Version info bumped from 7:10:6 to 7:11:6
* Mon Sep 16 2019 Pedro Monreal Gonzalez - Version update to 2.2.8
* Security fixes: (CVE-2019-15903, bsc#1149429) - CVE-2019-15903 -- Fix heap overflow triggered by XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype;
* Bug fixes: - Fix cases where XML_StopParser did not have any effect when called from inside of an end element handler - xmlwf: Fix exit code for operation without \"-d DIRECTORY\"; previously, only \"-d DIRECTORY\" would give you a proper exit code: Now both cases return exit code 2.
* Other changes: - examples: Improve elements.c - Autotools: Add argument --enable-xml-attr-info - Autotools: Add arguments --with-getrandom --without-getrandom --with-sys-getrandom --without-sys-getrandom - Autotools: Fix linking issues with \"./configure LD=clang\" - Autotools: Fix \"make run-xmltest\" for out-of-source builds - CMake: Pull all options from Expat <=2.2.7 into namespace - CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), default OFF - CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), default OFF - CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), default OFF - CMake: Add arguments -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO - CMake: Add arguments -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO - CMake: Install expat_config.h to include directory - CMake: Generate and install configuration files for future find_package(expat [..] CONFIG [..]) - CMake: Now produces a summary of applied configuration - CMake: Require C++ compiler only when tests are enabled - CMake: Fix compilation for 16bit character types, i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) - CMake: Port \"make run-xmltest\" from GNU Autotools to CMake - CMake: Integrate OSS-Fuzz fuzzers, option -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF- Removed patches fixed in the update:
* expat-CVE-2019-15903.patch
* expat-CVE-2019-15903-tests.patch
* Wed Sep 04 2019 Pedro Monreal Gonzalez - Security fix (CVE-2019-15903, bsc#1149429)
* Crafted XML input results in heap-based buffer over-read by fooling the parser into changing from DTD parsing to document parsing
* Added patches: - expat-CVE-2019-15903.patch - expat-CVE-2019-15903-tests.patch
* Tue Jul 02 2019 Pedro Monreal Gonzalez - Version update to 2.2.7 (CVE-2018-20843, bsc#1139937)
* Security fixes: - CVE-2018-20843 - Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks
* Other changes: - Autotools/CMake: Utilize -fvisibility=hidden to stop exporting non-API symbols - Autotools: Add --without-examples and --without-tests - Autotools: Modernize configure.ac - Autotools: Fix check for -fvisibility=hidden for Clang - Autotools: Fix compilation for lack of docbook2x-man - CMake: Make libdir of pkgconfig expat.pc support multilib - CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR - Remove fallback to bcopy, assume that memmove(3) exists- Removed expat-2.2.6-fix-make-clean.patch
* Thu Feb 07 2019 Bernhard Wiedemann - Add expat-2.2.6-fix-make-clean.patch- Allow profile guided optimization again
* Thu Jan 03 2019 Tomáš Chvátal - Drop docbook2x dependency, the manpages are generated in the upstream archive and this way we break buildcycle
* Tue Sep 11 2018 pmonrealgonzalezAATTsuse.com- Version update to 2.2.6 Sun August 12 2018
* Bug fixes: - Avoid doing arithmetic with NULL pointers in XML_GetBuffer - Fix 2.2.5 regression with suspend-resume while parsing a document like \'\'
* Other changes: - Autotools: Fix docbook-related configure syntax error - Autotools: Avoid grep option `-q` for Solaris - Autotools: Support ./configure DOCBOOK_TO_MAN=\"xmlto man --skip-validation\" - Autotools: Support DOCBOOK_TO_MAN command which produces xmlwf.1 rather than XMLWF.1; also covers case insensitive file systems - Autotools: Drop -rpath option passed to libtool - Autotools: Detect and deny SGML docbook2man as ours is XML - Autotools/CMake: Support command db2x_docbook2man as well - CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF - CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF - CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, both defaulting to OFF - CMake: Prefer check_symbol_exists over check_function_exists - CMake: Create the same pkg-config file as with GNU Autotools - CMake: Use GNUInstallDirs module to set proper defaults for install directories - CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM - Address compiler warnings - Fix miscellaneous typos
  
ICM