Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

libexpat-devel-2.4.4-150400.3.17.1 RPM for s390x

From OpenSuSE Leap 15.6 for s390x

Name: libexpat-devel Distribution: SUSE Linux Enterprise 15
Version: 2.4.4 Vendor: SUSE LLC <https://www.suse.com/>
Release: 150400.3.17.1 Build date: Mon Mar 18 09:18:21 2024
Group: Development/Libraries/C and C++ Build host: s390zl32
Size: 64423 Source RPM: expat-2.4.4-150400.3.17.1.src.rpm
Packager: https://www.suse.com/
Url: https://libexpat.github.io
Summary: Development files for expat, an XML parser toolkit
Expat is an XML parser library written in C. It is a stream-oriented
parser in which an application registers handlers for things the
parser might find in the XML document (like start tags).

This package contains the development headers for the library found
in libexpat.

Provides

Requires

License

MIT

Changelog

* Mon Mar 18 2024 david.anes@suse.com
  - Security fix (boo#1221289, CVE-2024-28757): XML Entity Expansion
    attack when there is isolated use of external parsers.
    * Added expat-CVE-2024-28757.patch
* Fri Feb 16 2024 david.anes@suse.com
  - Security fix:
    * (CVE-2023-52425, bsc#1219559) denial of service (resource
      consumption) caused by processing large tokens.
    - Added patch expat-CVE-2023-52425-1.patch
    - Added patch expat-CVE-2023-52425-2.patch
    - Added patch expat-CVE-2023-52425-backport-parser-changes.patch
    - Added patch expat-CVE-2023-52425-fix-tests.patch
* Wed Oct 26 2022 david.anes@suse.com
  - Security fix:
    * (CVE-2022-43680, bsc#1204708) use-after free caused by overeager
      destruction of a shared DTD in XML_ExternalEntityParserCreate in
      out-of-memory situations
    - Added patch expat-CVE-2022-43680.patch
* Mon Sep 26 2022 david.anes@suse.com
  - Security fix:
    * (CVE-2022-40674, bsc#1203438) use-after-free in the doContent
      function in xmlparse.c
    - Added patch expat-CVE-2022-40674.patch
* Sat Mar 05 2022 david.anes@suse.com
  - Security fixes:
    * (CVE-2022-25236, bsc#1196784) [>=2.4.5] Fix to CVE-2022-25236
      breaks biboumi, ClairMeta, jxmlease, libwbxml,
      openleadr-python, rnv, xmltodict
    - Added expat-CVE-2022-25236-relax-fix.patch
* Mon Feb 21 2022 david.anes@suse.com
  - Security fixes:
    * (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows
      attackers to insert namespace-separator characters into
      namespace URIs
    - Added expat-CVE-2022-25236.patch
    * (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before
      2.4.5 does not check whether a UTF-8 character is valid in a
      certain context.
    - Added expat-CVE-2022-25235.patch
    * (CVE-2022-25313, bsc#1196168) Stack exhaustion in
      build_model() via uncontrolled recursion
    - Added expat-CVE-2022-25313.patch
    - The fix upstream introduced a regression that was later
      amended in 2.4.6 version
      + Added expat-CVE-2022-25313-fix-regression.patch
    * (CVE-2022-25314, bsc#1196169) Integer overflow in copyString
    - Added expat-CVE-2022-25314.patch
    * (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames
    - Added expat-CVE-2022-25315.patch
* Tue Feb 01 2022 david.anes@suse.com
  - Update to latest version 2.4.4 in SLE-15-SP4 [jsc#SLE-21253]
* Mon Jan 31 2022 david.anes@suse.com
  - update to 2.4.4 (bsc#1195217, bsc#1195054):
    * Security fixes:
    - CVE-2022-23852 -- Fix signed integer overflow
      (undefined behavior) in function XML_GetBuffer
      that is also called by function XML_Parse internally)
      for when XML_CONTEXT_BYTES is defined to >0 (which is both
      common and default).
      Impact is denial of service or more.
    - CVE-2022-23990 -- Fix unsigned integer overflow in function
      doProlog triggered by large content in element type
      declarations when there is an element declaration handler
      present (from a prior call to XML_SetElementDeclHandler).
      Impact is denial of service or more.
    * Bug fixes:
    - xmlwf: Fix a memory leak on output file opening error
    * Other changes:
    - Version info bumped from 9:3:8 to 9:4:8;
      see https://verbump.de/ for what these numbers do
    * Drop unused file valid-xhtml10.png
* Mon Jan 17 2022 dmueller@suse.com
  - update to 2.4.3 (bsc#1194251, bsc#1194362, bsc#1194474,
      bsc#1194476, bsc#1194477, bsc#1194478, bsc#1194479, bsc#1194480):
    * CVE-2021-45960 -- Fix issues with left shifts by >=29 places
      resulting in
      a) realloc acting as free
      b) realloc allocating too few bytes
      c) undefined behavior
      depending on architecture and precise value
      for XML documents with >=2^27+1 prefixed attributes
      on a single XML tag a la
      "<r xmlns:a='[..]' a:a123='[..]' [..] />"
      where XML_ParserCreateNS is used to create the parser
      (which needs argument "-n" when running xmlwf).
      Impact is denial of service, or more.
    * CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
      on variable m_groupSize in function doProlog leading
      to realloc acting as free.
      Impact is denial of service or more.
    * CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
      near memory allocation at multiple places.  Mitre assigned
      a dedicated CVE for each involved internal C function:
    - CVE-2022-22822 for function addBinding
    - CVE-2022-22823 for function build_model
    - CVE-2022-22824 for function defineAttribute
    - CVE-2022-22825 for function lookup
    - CVE-2022-22826 for function nextScaffoldPart
    - CVE-2022-22827 for function storeAtts
      Impact is denial of service or more.
* Mon Dec 27 2021 dmueller@suse.com
  - update to 2.4.2:
    * Link againgst libm for function "isnan"
    * Include expat_config.h as early as possible
    * Autotools: Include files with release archives:
    - buildconf.sh
    - fuzz/*.c
    * Autotools: Sync CMake templates
    * docs: Document that function XML_GetBuffer may return NULL
      when asking for a buffer of 0 (zero) bytes size
    * docs: Fix return value docs for both
      XML_SetBillionLaughsAttackProtection* functions
    * Version info bumped from 9:1:8 to 9:2:8
* Tue Sep 07 2021 pmonreal@suse.com
  - Update to 2.4.1 in SLE-15-SP4 [jsc#SLE-21253]
    * Remove expat-CVE-2018-20843.patch upstream
* Mon May 24 2021 pmonreal@suse.com
  - Update to 2.4.1:
    * Bug fixes:
    - Autotools: Fix installed header expat_config.h for multilib
      systems; regression introduced in 2.4.0 by pull request #486
    * Other changes:
    - Version info bumped from 9:0:8 to 9:1:8; see
      https://verbump.de/ for what these numbers do
* Mon May 24 2021 pmonreal@suse.com
  - Update to 2.4.0: [CVE-2013-0340 "Billion Laughs"]
    * Security fixes:
    - CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
      (denial-of-service; flavors targeting CPU time or RAM or both,
      leveraging general entities or parameter entities or both)
      by tracking and limiting the input amplification factor
      (<amplification> := (<direct> + <indirect>) / <direct>).
      By conservative default, amplification up to a factor of 100.0
      is tolerated and rejection only starts after 8 MiB of output bytes
      (=<direct> + <indirect>) have been processed.
      The fix adds the following to the API:
    - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
      signals this specific condition.
    - Two new API functions ..
    - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
    - XML_SetBillionLaughsAttackProtectionActivationThreshold
      .. to further tighten billion laughs protection parameters
      when desired.  Please see file "doc/reference.html" for details.
      If you ever need to increase the defaults for non-attack XML
      payload, please file a bug report with libexpat.
    - Two new XML_FEATURE_* constants ..
    - that can be queried using the XML_GetFeatureList function, and
    - that are shown in "xmlwf -v" output.
    - Two new environment variable switches ..
    - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
    - EXPAT_ENTITY_DEBUG=(0|1)
      .. for runtime debugging of accounting and entity processing.
      Specific behavior of these values may change in the future.
    - Two new command line arguments "-a FACTOR" and "-b BYTES"
      for xmlwf to further tighten billion laughs protection
      parameters when desired.
      If you ever need to increase the defaults for non-attack XML
      payload, please file a bug report with libexpat.
    * Bug fixes:
    - For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
      or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
      for UTF-16 payloads containing CDATA sections.
    - Autotools: Fix generated CMake files for non-64bit and
      non-Linux platforms (e.g. macOS and MinGW in particular)
      that were introduced with release 2.3.0
    * Other changes:
    - xmlwf: Improve help output and the xmlwf man page
    - xmlwf: Improve maintainability through some refactoring
    - xmlwf: Fix man page DocBook validity
    - CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR
      and CMAKE_INSTALL_INCLUDEDIR
    - CMake: Add support for standard variable BUILD_SHARED_LIBS
    - Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
    - Resolve macro HAVE_EXPAT_CONFIG_H
    - Delete unused legacy helper file "conftools/PrintPath"
    - doc/reference.html: Fix XHTML validity
    - doc/reference.html: Replace the 90s look by OK.css
    - Version info bumped from 8:0:7 to 9:0:8 due to addition of
      new symbols and error codes; see https://verbump.de/ for
      what these numbers do
* Tue Apr 13 2021 dimstar@opensuse.org
  - Do not BuildRequire cmake: expat is part of the distro bootstrap
    cycle and any additional dependency makes the ring larger. In
    this case here, cmake was even only used to own a directory.
* Tue Apr 06 2021 dmueller@suse.com
  - update to 2.3.0:
    * When calling XML_ParseBuffer without a prior successful call to
      XML_GetBuffer as a user, no longer trigger undefined behavior
      (by adding an integer to a NULL pointer) but rather return
      XML_STATUS_ERROR and set the error code to (new) code
      XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer)
      of Clang 11 (but not Clang 9).
    * xmlwf: Exit status 2 was used for both:
    - malformed input files (documented) and
    - invalid command-line arguments (undocumented).
      case of invalid command-line arguments now
      has its own exit status 4, resolving the ambiguity.
    * Other changes
* Sun Oct 04 2020 pmonreal@suse.com
  - Update to 2.2.10:
    * Bug fixes:
    - Fix undefined behavior during parsing caused by pointer
      arithmetic with NULL pointers
    - Fix reading uninitialized variable during parsing
    - xmlwf: Add missing check for malloc NULL return
    * Other changes:
    - xmlwf: Document exit codes in xmlwf manpage and exit with code 3
      (rather than code 1) for output errors when used with "-d DIRECTORY"
    - Autotools: Use -Werror while configure tests the compiler for
      supported compile flags to avoid false positives
    - Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, e.g.
      ensure that they have the last word over flags added while
      running ./configure
    - CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis
      on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
    - CMake: Detect and deny unsupported build combinations
      involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
    - CMake: Install pre-compiled shipped xmlwf.1 manpage in case
      of -DEXPAT_BUILD_DOCS=OFF
    - CMake: Fix use of Expat by means of add_subdirectory
    - CMake: Keep expat target name constant at "expat" (i.e. refrain
      from using the target name to control build artifact filenames)
    - CMake: Expose man page compilation as target "xmlwf-manpage"
    - CMake: Introduce option EXPAT_BUILD_PKGCONFIG to control
      generation of pkg-config file "expat.pc"
    - CMake: Add minimalistic support for building binary packages
      with CMake target "package"; based on CPack
    - CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with default
      OFF to build fuzzer code against OSS-Fuzz and related
      environment variable LIB_FUZZING_ENGINE
    - Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF
    - Address compiler warnings
    - Address pngcheck warnings with doc/*.png images: Version info
      bumped from 7:11:6 to 7:12:6
* Fri Nov 29 2019 pmonrealgonzalez@suse.com
  - Version update to 2.2.9
    * Other changes:
    - examples: Drop executable bits from elements.c
      [#349]  Windows: Change the name of the Windows DLLs from expat*.dll
      to libexpat*.dll once more (regression from 2.2.8, first
      fixed in 1.95.3, issue #61 on SourceForge today,
      was issue #432456 back then); needs a fix due
      case-insensitive file systems on Windows and the fact that
      Perl's XML::Parser::Expat compiles into Expat.dll.
      [#347]  Windows: Only define _CRT_RAND_S if not defined
      Version info bumped from 7:10:6 to 7:11:6
* Mon Sep 16 2019 pmonrealgonzalez@suse.com
  - Version update to 2.2.8
    * Security fixes: (CVE-2019-15903, bsc#1149429)
    - CVE-2019-15903 -- Fix heap overflow triggered by XML_GetCurrentLineNumber
      (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype;
    * Bug fixes:
    - Fix cases where XML_StopParser did not have any effect
      when called from inside of an end element handler
    - xmlwf: Fix exit code for operation without "-d DIRECTORY";
      previously, only "-d DIRECTORY" would give you a proper exit code:
      Now both cases return exit code 2.
    * Other changes:
    - examples: Improve elements.c
    - Autotools: Add argument --enable-xml-attr-info
    - Autotools: Add arguments --with-getrandom --without-getrandom --with-sys-getrandom --without-sys-getrandom
    - Autotools: Fix linking issues with "./configure LD=clang"
    - Autotools: Fix "make run-xmltest" for out-of-source builds
    - CMake: Pull all options from Expat <=2.2.7 into namespace
    - CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), default OFF
    - CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), default OFF
    - CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), default OFF
    - CMake: Add arguments -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
    - CMake: Add arguments -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
    - CMake: Install expat_config.h to include directory
    - CMake: Generate and install configuration files for future find_package(expat [..] CONFIG [..])
    - CMake: Now produces a summary of applied configuration
    - CMake: Require C++ compiler only when tests are enabled
    - CMake: Fix compilation for 16bit character types, i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
    - CMake: Port "make run-xmltest" from GNU Autotools to CMake
    - CMake: Integrate OSS-Fuzz fuzzers, option -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF
  - Removed patches fixed in the update:
    * expat-CVE-2019-15903.patch
    * expat-CVE-2019-15903-tests.patch
* Wed Sep 04 2019 pmonrealgonzalez@suse.com
  - Security fix (CVE-2019-15903, bsc#1149429)
    * Crafted XML input results in heap-based buffer over-read by fooling
      the parser into changing from DTD parsing to document parsing
    * Added patches:
    - expat-CVE-2019-15903.patch
    - expat-CVE-2019-15903-tests.patch
* Tue Jul 02 2019 pmonrealgonzalez@suse.com
  - Version update to 2.2.7 (CVE-2018-20843, bsc#1139937)
    * Security fixes:
    - CVE-2018-20843 - Fix extraction of namespace prefixes from
      XML names; XML names with multiple colons could end up in
      the wrong namespace, and take a high amount of RAM and CPU
      resources while processing, opening the door to use for
      denial-of-service attacks
    * Other changes:
    - Autotools/CMake: Utilize -fvisibility=hidden to stop
      exporting non-API symbols
    - Autotools: Add --without-examples and --without-tests
    - Autotools: Modernize configure.ac
    - Autotools: Fix check for -fvisibility=hidden for Clang
    - Autotools: Fix compilation for lack of docbook2x-man
    - CMake: Make libdir of pkgconfig expat.pc support multilib
    - CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR
    - Remove fallback to bcopy, assume that memmove(3) exists
  - Removed expat-2.2.6-fix-make-clean.patch
* Thu Feb 07 2019 bwiedemann@suse.com
  - Add expat-2.2.6-fix-make-clean.patch
  - Allow profile guided optimization again
* Thu Jan 03 2019 tchvatal@suse.com
  - Drop docbook2x dependency, the manpages are generated in
    the upstream archive and this way we break buildcycle
* Tue Sep 11 2018 pmonrealgonzalez@suse.com
  - Version update to 2.2.6 Sun August 12 2018
    * Bug fixes:
    - Avoid doing arithmetic with NULL pointers in XML_GetBuffer
    - Fix 2.2.5 regression with suspend-resume while parsing
      a document like '<root/>'
    * Other changes:
    - Autotools: Fix docbook-related configure syntax error
    - Autotools: Avoid grep option `-q` for Solaris
    - Autotools: Support
      ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation"
    - Autotools: Support DOCBOOK_TO_MAN command which produces
      xmlwf.1 rather than XMLWF.1; also covers case insensitive
      file systems
    - Autotools: Drop -rpath option passed to libtool
    - Autotools: Detect and deny SGML docbook2man as ours is XML
    - Autotools/CMake: Support command db2x_docbook2man as well
    - CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF
    - CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF
    - CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T,
      both defaulting to OFF
    - CMake: Prefer check_symbol_exists over check_function_exists
    - CMake: Create the same pkg-config file as with GNU Autotools
    - CMake: Use GNUInstallDirs module to set proper defaults for
      install directories
    - CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM
    - Address compiler warnings
    - Fix miscellaneous typos
* Thu Nov 16 2017 jengelh@inai.de
  - Expand description of expat-devel.
* Thu Nov 16 2017 mpluskal@suse.com
  - Do not generate manpages from docbook
  - Temporarily disable profiling due to bug in build system
* Wed Nov 08 2017 aavindraa@gmail.com
  - Version update to 2.2.5 Tue October 31 2017
    * Bug fixes:
    - If the parser runs out of memory, make sure its internal
      state reflects the memory it actually has, not the memory
      it wanted to have.
    - The default handler wasn't being called when it should for
      a SYSTEM or PUBLIC doctype if an entity declaration handler
      was registered.
    - Fix a case of mistakenly reported parsing success where
      XML_StopParser was called from an element handler
    - Function XML_ErrorString was returning NULL rather than
      a message for code XML_ERROR_INVALID_ARGUMENT
      introduced with release 2.2.1
    * Other changes:
    - Add argument -N adding notation declarations
    - various compiler-specific fixes
    - Improve docbook2x-man detection
  - drop expat-docbook.patch
    * fixed in 0f5186c7b8e503c669e332d944712de010b265f3
  - switch to github for release tarballs and website
* Thu Oct 26 2017 pmonrealgonzalez@suse.com
  - Version update to 2.2.4 Sat August 19 2017
    * Bug fixes:
      [#115]  Fix copying of partial characters for UTF-8 input
    * Other changes:
      [#109]  Fix "make check" for non-x86 architectures that default
      to unsigned type char (-128..127 rather than 0..255)
      [#109]  coverage.sh: Cover -funsigned-char
      Autotools: Introduce --without-xmlwf argument
      [#65]  Autotools: Replace handwritten Makefile with GNU Automake
      [#43]  CMake: Auto-detect high quality entropy extractors, add new
      option USE_libbsd=ON to use arc4random_buf of libbsd
      [#74]  CMake: Add -fno-strict-aliasing only where supported
      [#114]  CMake: Always honor manually set BUILD_* options
      [#114]  CMake: Compile man page if docbook2x-man is available, only
      [#117]  Include file tests/xmltest.log.expected in source tarball
      (required for "make run-xmltest")
      [#111]  Fix some typos in documentation
      Version info bumped from 7:5:6 to 7:6:6
  - Release 2.2.3 Wed August 2 2017
    * Bug fixes:
      [#85]  Fix a dangling pointer issue related to realloc
    * Other changes:
      [#91]  Linux: Allow getrandom to fail if nonblocking pool has not
      yet been initialized and read /dev/urandom then, instead.
      This is in line with what recent Python does.
      [#86]  Check that a UTF-16 encoding in an XML declaration has the
      right endianness
    [#4] #5 #7  Recover correctly when some reallocations fail
      Repair "./configure && make" for systems without any
      provider of high quality entropy
      and try reading /dev/urandom on those
      Ensure that user-defined character encodings have converter
      functions when they are needed
      Fix mis-leading description of argument -c in xmlwf.1
      Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__)
      for CloudABI
      [#100]  Fix use of SIPHASH_MAIN in siphash.h
      [#23]  Test suite: Fix memory leaks
      Version info bumped from 7:4:6 to 7:5:6
  - Release 2.2.2 Wed July 12 2017
    * Security fixes:
      [#43]  Protect against compilation without any source of high
      quality entropy enabled, e.g. with CMake build system;
    * [MOX-006] Fix non-NULL parser parameter validation in XML_Parse;
      resulted in NULL dereference, previously;
    * Bug fixes:
      [#69]  Fix improper use of unsigned long long integer literals
    * Other changes:
      [#73]  Start requiring a C99 compiler
      [#49]  Fix "==" Bashism in configure script
      [#58]  Address compile warnings
      [#68]  Fix "./buildconf.sh && ./configure" for some versions
      of Dash for /bin/sh
      [#72]  CMake: Ease use of Expat in context of a parent project
      with multiple CMakeLists.txt files
      [#72]  CMake: Resolve mistaken executable permissions
      [#76]  Address compile warning with -DNDEBUG (not recommended!)
      [#77]  Address compile warning about macro redefinition
    * Added patch expat-docbook.patch to compile the man pages with
    docbook-to-man
    * Cleaned spec file with spec-cleaner
* Sat Oct 07 2017 jayvdb@gmail.com
  - Allow building when do_profiling is undefined
* Tue Jul 11 2017 mpluskal@suse.com
  - Build with profiling when possible
* Tue Jul 04 2017 meissner@suse.com
  - Version update to 2.2.1 Sat June 17 2017
    - Security fixes:
      CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS
      Details: https://libexpat.github.io/doc/cve-2017-9233/
      Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
    - [MOX-002]      CVE-2016-9063 / bsc#1047240 -- Detect integer overflow;
      (Fixed version of existing downstream patches!)
    - (SF.net) #539  Fix regression from fix to CVE-2016-0718 cutting off
      longer tag names;
      [#25]  More integer overflow detection (function poolGrow);
    - [MOX-002]      Detect overflow from len=INT_MAX call to XML_Parse;
    - [MOX-005] #30  Use high quality entropy for hash initialization:
    * arc4random_buf on BSD, systems with libbsd
      (when configured with --with-libbsd), CloudABI
    * RtlGenRandom on Windows XP / Server 2003 and later
    * getrandom on Linux 3.17+
      In a way, that's still part of CVE-2016-5300.
      https://github.com/libexpat/libexpat/pull/30/commits
    - [MOX-005] For the low quality entropy extraction fallback code,
      the parser instance address can no longer leak,
    - [MOX-003] Prevent use of uninitialised variable; commit
    - [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
      Add missing parameter validation to public API functions
      and dedicated error code XML_ERROR_INVALID_ARGUMENT:
    - [MOX-006] * NULL checks; commits
    * Negative length (XML_Parse); commit
    - [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
    - [MOX-001] #35  Change hash algorithm to William Ahern's version of SipHash
      to go further with fixing CVE-2012-0876.
      https://github.com/libexpat/libexpat/pull/39/commits
    - Bug fixes:
      [#32] Fix sharing of hash salt across parsers;
      relevant where XML_ExternalEntityParserCreate is called
      prior to XML_Parse, in particular (e.g. FBReader)
      [#28] xmlwf: Auto-disable use of memory-mapping (and parsing
      as a single chunk) for files larger than ~1 GB (2^30 bytes)
      rather than failing with error "out of memory"
      [#3]  Fix double free after malloc failure in DTD code; commit
      7ae9c3d3af433cd4defe95234eae7dc8ed15637f
      [#17] Fix memory leak on parser error for unbound XML attribute
      prefix with new namespaces defined in the same tag;
      found by Google's OSS-Fuzz; commits
      xmlwf on Windows: Add missing calls to CloseHandle
    - New features:
      [#30] Introduced environment switch EXPAT_ENTROPY_DEBUG=1
      for runtime debugging of entropy extraction
      Bump version info from 7:2:6 to 7:3:6
* Mon Jul 18 2016 jengelh@inai.de
  - Remove pointless --with-pic (for static only)
* Thu Jul 14 2016 tchvatal@suse.com
  - Version update to 2.2.0:
    * Fixes bnc#983215 CVE-2012-6702
    * Fixes bnc#983216 CVE-2016-5300
    * Various cmake and autotools script updates
    * Fix detection of utf8 character boundaries
  - Remove all patches merged upstream:
    * expat-2.1.1-avoid_relying_on_undef_behaviour.patch
    * expat-2.1.1-parser_crashes_on_malformed_input.patch
    * expat-alloc-size.patch
    * expat-visibility.patch
* Wed May 18 2016 kstreitova@suse.com
  - add expat-2.1.1-avoid_relying_on_undef_behaviour.patch to avoid
    relying on undefined behavior in the original CVE-2015-1283 fix
    [bnc#980391], [bnc#983985], [CVE-2016-4472]
  - add expat-2.1.1-parser_crashes_on_malformed_input.patch to fix
    Expat XML parser that mishandles certain kinds of malformed input
    documents [bnc#979441], [CVE-2016-0718]
  - use spec-cleaner to clean specfile
* Fri Apr 01 2016 crrodriguez@opensuse.org
  - After simplification of expat-visibility.patch, it became
    uneffective as no symbols are getting hidden. add
    - fvisibility=hidden to CFLAGS again.
  - expat-alloc-size.patch: fix braino, realloc()-like functions
    should not take __attribute__(malloc)
* Wed Mar 23 2016 idonmez@suse.com
  - Update to version 2.1.1
    * Fixes CVE-2015-1283 — Multiple integer overflows in the
      XML_GetBuffer function
    * Fix potential null pointer dereference
    * Symbol XML_SetHashSalt was not exported
    * Output of xmlwf -h was incomplete
    * Document behavior of calling XML_SetHashSalt with salt 0
    * Minor improvements to man page xmlwf(1)
  - Simplify expat-visibility.patch, refresh expat-alloc-size.patch
  - Drop config-guess-sub-update.patch, fixed upstream.
* Sat Jul 11 2015 mpluskal@suse.com
  - Cleanup spec file with spec-cleaner
  - Remove old ppc obsoletes/provides

Files

/usr/include/expat.h
/usr/include/expat_config.h
/usr/include/expat_external.h
/usr/lib64/cmake
/usr/lib64/cmake/expat-2.4.4
/usr/lib64/cmake/expat-2.4.4/expat-config-version.cmake
/usr/lib64/cmake/expat-2.4.4/expat-config.cmake
/usr/lib64/cmake/expat-2.4.4/expat-noconfig.cmake
/usr/lib64/cmake/expat-2.4.4/expat.cmake
/usr/lib64/libexpat.so
/usr/lib64/pkgconfig/expat.pc


Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jul 9 20:22:04 2024