openSUSE Build Service

- Fix handling of xmlwf.1 to avoid workarounds in specfile:
  * Added libxml2-fix-xmlwf.1-handling.patch 
- Call buildconf.sh to avoid (future) issues with expat_config.h.in

- Add manpage for xmlwf, which is now available in the released tarball.

buildservice-autocommit accepted request 1146280 from

David Anes (david.anes) 3 months ago (revision 107)

baserev update by copy to link target

David Anes (david.anes) accepted request 1146279 from

David Anes (david.anes) 3 months ago (revision 106)

- Update keyring automatically from keyserver during OBS service run.
- Explicitly use --without-docbook (before it was implicit).
- Include missing files for documentation and examples.
- Add manpage for xmlwf, which is not available in the release tarball.
- Clean the spec file a bit.
- Update to 2.6.0: 
  * Security fixes:
    - CVE-2023-52425 (boo#1219559)  
      -- Fix quadratic runtime issues with big tokens
      that can cause denial of service, in partial where
      dealing with compressed XML input.  Applications
      that parsed a document in one go -- a single call to
      functions XML_Parse or XML_ParseBuffer -- were not affected.
      The smaller the chunks/buffers you use for parsing
      previously, the bigger the problem prior to the fix.
      Backporters should be careful to no omit parts of
      pull request #789 and to include earlier pull request #771,
      in order to not break the fix.
    - CVE-2023-52426 (boo#1219561)
      -- Fix billion laughs attacks for users
      compiling *without* XML_DTD defined (which is not common).
      Users with XML_DTD defined have been protected since
      Expat >=2.4.0 (and that was CVE-2013-0340 back then).
  * Bug fixes:
    - Fix parse-size-dependent "invalid token" error for
      external entities that start with a byte order mark
    - Fix NULL pointer dereference in setContext via
      XML_ExternalEntityParserCreate for compilation with
      XML_DTD undefined
    - Protect against closing entities out of order

buildservice-autocommit accepted request 1042236 from

David Anes (david.anes) over 1 year ago (revision 105)

baserev update by copy to link target

David Anes (david.anes) accepted request 1042210 from

Andreas Stieger (AndreasStieger) over 1 year ago (revision 104)

- add upstream signing key and validate source signature

buildservice-autocommit accepted request 1031257 from

David Anes (david.anes) over 1 year ago (revision 103)

baserev update by copy to link target

David Anes (david.anes) accepted request 1031256 from

David Anes (david.anes) over 1 year ago (revision 102)

- Update to 2.5.0: (bsc#1204708)
  * Security fixes:
    - CVE-2022-43680 -- Fix heap use-after-free after overeager 
      destruction of a shared DTD in function 
      XML_ExternalEntityParserCreate in out-of-memory situations.
      Expected impact is denial of service or potentially arbitrary
      code execution.
  * Bug fixes:
    - Fix curruption from undefined entities
    - Fix case when parsing was suspended while processing nested
      entities
    - Stop leaking opening tag bindings after a closing tag mismatch 
      error where a parser is reset through XML_ParserReset and then
      reused to parse
    - CMake: Fix generation of pkg-config file
    - MinGW|CMake: Fix static library name
  * Other changes:
    - Protect header expat_config.h from multiple inclusion
    - examples: Make use of XML_GetBuffer and be more consistent
      across examples
    - Address compiler warnings
    - Version info bumped from 9:9:8 to 9:10:8; see 
      https://verbump.de/ for what these numbers do

buildservice-autocommit accepted request 1005006 from

David Anes (david.anes) over 1 year ago (revision 101)

baserev update by copy to link target

David Anes (david.anes) accepted request 1005005 from

David Anes (david.anes) over 1 year ago (revision 100)

- update to 2.4.9: (bsc#1203438)
  * Security fixes:
    - CVE-2022-40674 -- Heap use-after-free vulnerability in
      function doContent. Expected impact is denial of service
      or potentially arbitrary code execution.
  * Bug fixes:
    - MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
    - docs: Fix documentation on effect of switch XML_DTD on
      symbol visibility in doc/reference.html
  * Other changes:
    - MinGW: Make fix-xmltest-log.sh drop more Wine bug output
    - Autotools: Sync CMake templates with CMake 3.22
    - CMake: Migrate from use of CMAKE_*_POSTFIX to
      dedicated variables EXPAT_*_POSTFIX to stop affecting
      other projects
    - Windows|CMake: Add missing -DXML_STATIC to test runners
      and fuzzers
    - Windows|CMake: Render .def file from a template to fix
      linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
    - MinGW|CMake: Apply MSVC .def file when linking
    - MinGW|CMake: Sync library name with GNU Autotools,
      i.e. produce libexpat-1.dll rather than libexpat.dll
      by default.  Filename libexpat.dll.a is unaffected.
    - MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in
      toolchain file "cmake/mingw-toolchain.cmake" to avoid
      error "windres: Command not found" on e.g. Ubuntu 20.04
    - CMake: Unify inconsistent use of set() and option() in
      context of public build time options to take need for
      set(.. FORCE) in projects using Expat by means of
      add_subdirectory(..) off Expat's users' shoulders

buildservice-autocommit accepted request 965520 from

David Anes (david.anes) about 2 years ago (revision 99)

baserev update by copy to link target

David Anes (david.anes) accepted request 965519 from

David Anes (david.anes) about 2 years ago (revision 98)

- update to 2.4.8:
  * Other changes:
    - pkg-config: Move "-lm" to section "Libs.private"
    - CMake|MSVC: Fix pkg-config section "Libs"
    - CMake|macOS: Start using linker arguments 
      "-compatibility_version <version>" and
      "-current_version <version>" in a way compatible with GNU 
      Libtool
    - Version info bumped from 9:7:8 to 9:8:8;
      see https://verbump.de/ for what these numbers do

buildservice-autocommit accepted request 959581 from

David Anes (david.anes) about 2 years ago (revision 97)

baserev update by copy to link target

David Anes (david.anes) accepted request 959577 from

David Anes (david.anes) about 2 years ago (revision 96)

- udpate to 2.4.7 (bsc#1196784, CVE-2022-25236):
  * Bug fixes:
    - Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
      with regard to all valid URI characters (RFC 3986),
      i.e. the following set (excluding whitespace):
      ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
      0123456789 % -._~ :/?#[]@ !$&'()*+,;=
  * Other changes:
    - CMake|Windows: Store Expat version in the DLL
    - Document consequences of namespace separator choices not just
      in doc/reference.html but also in header <expat.h>
    - Document Expat's lack of validation of namespace URIs against
      RFC 3986, and that the XML 1.0r4 specification doesn't
      require Expat to validate namespace URIs, and that Expat
      may do more in that regard in future releases.
      If you find need for strict RFC 3986 URI validation on
      application level today, https://uriparser.github.io/ may
      be of interest.
    - Fix documentation of XML_EndDoctypeDeclHandler in <expat.h>
    - Document that a call to XML_FreeContentModel can be done at
      a later time from outside the element declaration handler
    - Make hardcoded namespace URIs easier to find in code
    - Update documentation on use of XML_POOR_ENTOPY on Solaris
    - tests: Resolve use of macros NAN and INFINITY for GNU G++
      4.8.2 on Solaris.
    - Version info bumped from 9:6:8 to 9:7:8;
      see https://verbump.de/ for what these numbers do

Pedro Monreal Gonzalez (pmonrealgonzalez) accepted request 956336 from

Pedro Monreal Gonzalez (pmonrealgonzalez) about 2 years ago (revision 95)

Pedro Monreal Gonzalez (pmonrealgonzalez) accepted request 956174 from

David Anes (david.anes) about 2 years ago (revision 94)

- update to 2.4.6 (bsc#1196168, CVE-2022-25313):
  * Bug fixes:
    - Fix a regression introduced by the fix for CVE-2022-25313
      in release 2.4.5 that affects applications that (1)
      call function XML_SetElementDeclHandler and (2) are
      parsing XML that contains nested element declarations
      (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").
    - Version info bumped from 9:5:8 to 9:6:8;
      see https://verbump.de/ for what these numbers do.

Displaying revisions 1 - 20 of 113

Places

Revisions of expat

Places